Privacy Policy for Mail Counseling – Wendepunkt

1. Privacy at a Glance

 

1.1 Who is responsible for processing your data?

 

The responsible party for data processing is the counseling center:
AYGOnet GmbH
Represented by Bernd Jacob
Colmantstraße 39
53115 Bonn, Germany
Phone: +49 (0) 228 85 44 77 90
Email: info(at)aygonet.de
Website: www.aygonet.de

 

1.2 Who can I contact with questions about data protection?

 

Our Data Protection Officer can be reached at:
Lukas Biniossek
SCO-CON:SULT GmbH
Hauptstraße 27
53604 Bad Honnef, Germany
Email: datenschutz(at)diemedialen.de
Website: www.sco-consult.de

 

1.3 What data is processed?

 

Counseling is provided as anonymously as possible. However, the processing of personal data cannot be completely excluded:

• Username and optional (not mandatory) email address
• Text messages and potentially content from uploaded files
• Timestamps of messages and communication participants
• Content in counseling documentation created by counselors
• IP addresses during connection setup and log file storage

 

1.4 What is the legal basis for processing?

 

• Clients: Counseling contract, legitimate interest
  • Creation of user accounts, communication with counselors, and documentation based on the counseling contract established through registration.
  • Retention of documentation and previous usernames based on legitimate interest to fulfill documentation and retention obligations or prevent misuse.
• Counselors: Necessity for the employment relationship
• Technical service providers: Data processing agreements

 

1.5 What is the purpose of data processing?

 

• Technical provision, security, and maintenance of the counseling platform
• Management of user accounts
• Communication between clients and counselors
• Documentation of counseling sessions
• Fulfillment of legal documentation and retention obligations

 

1.6 Who has access to the data?

 

• Selected counselors and, where approved by the client, supervisors at the counseling center
• Other clients in group counseling sessions
• Administrators (limited, no access to counseling dialogues or documentation)
• Data processors for technical and organizational maintenance (limited, no access to counseling dialogues or documentation)

 

1.7 Are data transferred to third countries?

 

No. All data is processed exclusively in Germany.

 

1.8 How long is data stored?

 

• Counseling dialogues are generally deleted when users delete their accounts.
• Counseling centers may define automatic deletion periods for inactive accounts (between 3 and 36 months depending on configuration).
• Inactive account deletion may also be deactivated.
• Backup data is not deleted immediately but at the latest within 4 weeks.
• Counseling documentation is not automatically deleted due to legal retention obligations.
• Usernames are retained to prevent deception through reuse of former usernames.

 

1.9 How is my data protected?

 

Technical measures within the Aygonet platform:

• All data is transmitted via encrypted connections (transport encryption)
• Passwords are securely encrypted before storage
• Counseling dialogues and documentation are encrypted before storage using public-private key encryption (only accessible to authorized counselors)
• Uploaded files are encrypted before storage
• End-to-end encryption for video calls and live chats
• Mandatory two-factor authentication for counselors (configurable)
• Mandatory two-factor authentication for administrators
• Restricted server access to a few individuals and specific IP addresses
• Logging of access and system-relevant events
• More details can be found in the Whitepaper

 

Organizational measures by Aygonet:

 

• Restrictive rights and role management
• Multi-client separation of application areas
• Personalized administrator access
• Vulnerability detection and handling policy
• Confidentiality obligations for employees and service providers
• Staff training in secure data handling
• More details can be found in the Whitepaper

 

2. General Privacy Policy

 

2.1 Scope

 

This privacy policy applies to services accessible via *.aygonet.org (hereinafter referred to as “the counseling platform”).

 

2.2 Legal Basis

 

The legal basis for data protection is the EU General Data Protection Regulation (GDPR).

 

2.3 Name and Address of the Controller

 

WENDEPUNKT – Wuppertaler Krisendienst gGmbH
Represented by Mr. Werner Mütherig, Managing Director
Hofkamp 33
42103 Wuppertal, Germany
Phone: +49 202 244 28 38
Email: info@krisendienst-wuppertal.de
Website: www.krisendienst-wuppertal.de
(„the Controller“/“we“/“us“)

 

2.4 Name and Address of the Data Protection Officer

 

Alessandro Cacciatore
Evangelische Stiftung Tannenhof
Remscheider Str. 76
42899 Remscheid, Germany

 

2.5 Principles of Data Protection and Your Rights

 

2.5.1 Definitions

 

This privacy policy is based on the terms defined by the EU General Data Protection Regulation (GDPR), available in the Official Journal of the European Union.

 

2.5.2 Principles of Personal Data Processing

 

2.5.2.1 Purpose and Scope of Processing
Personal data is collected only for specified purposes and limited to what is necessary for those purposes.

 

2.5.2.2 Legal Bases for Processing
Personal data may be processed if at least one of the following conditions applies:

• Consent from the data subject (Art. 6(1)(a) GDPR)
• Necessity for contract performance or pre-contractual measures (Art. 6(1)(b))
• Legal obligation (Art. 6(1)(c))
• Protection of vital interests (Art. 6(1)(d))
• Public interest or exercise of official authority (Art. 6(1)(e))
• Legitimate interests pursued by the controller or a third party (Art. 6(1)(f)), provided these do not override the interests or rights of the data subject

 

2.5.2.3 Retention Period
Personal data is deleted or blocked once the purpose for storage ceases to apply unless legal provisions require further retention.

 

2.5.2.4 Recipients of Personal Data
Data is shared only with the controller and processors acting under data protection law. Data may be disclosed to third parties only if legally permitted or required.

 

2.5.2.5 Data Transfer to Third Countries
There is no transfer of personal data to third countries.

 

2.5.2.6 Automated Decision-Making
No automated decision-making or profiling takes place.

 

2.5.3 Rights of Data Subjects

2.5.3.1 Right to Withdraw Consent (Art. 7(3))
You may withdraw your consent at any time with future effect.

 

2.5.3.2 Right of Access (Art. 15)
You may request information on your stored personal data, its origin, recipients, purpose, and retention period.

 

2.5.3.3 Right to Rectification (Art. 16)
You may request correction or completion of your data.

 

2.5.3.4 Right to Erasure (Art. 17)
You may request deletion of your data if no valid legal basis remains.

 

2.5.3.5 Right to Restriction of Processing (Art. 18)
You may restrict processing under certain conditions (e.g., if data accuracy is contested).

 

2.5.3.6 Right to Data Portability (Art. 20)
You may request transfer of your data to another controller in a structured, commonly used format.

 

2.5.3.7 Right to Object (Art. 21)
You may object to processing based on legitimate interests or for direct marketing.

 

2.5.3.8 Right to Lodge a Complaint (Art. 77)
You may lodge a complaint with a supervisory authority if you believe data processing violates data protection laws.

 

2.6 Changes to This Privacy Policy

We reserve the right to amend this privacy policy to comply with legal requirements or reflect service changes. The updated policy will apply to future visits.

 

3. Privacy Policy – Special Section

 

3.1 Provision of the Counseling Platform

 

As part of a data processing agreement, we commission an external service provider to operate the counseling platform. This provider is contractually obligated to adhere to the same data protection standards as we are and ensures secure and reliable handling of data processed through the platform. Personal data of data subjects collected via the counseling platform is stored on servers located within the European Economic Area (EEA). The data is stored separately from other applications. The service provider processes personal data only on our instructions and only to the extent necessary to fulfill their contractual obligations.

 

3.2 Collection of Access and Connection Data

 

Each time our website is accessed, our system automatically collects information from the accessing computer system.

 

3.2.1 Scope of Processing

 

The following data may be collected, if transmitted by the browser:

• Browser type and version
• Operating system
• Date and time of the server request
• Referrer URL (previously visited webpage)
• Requested URL on our website
• IP address of the user

Only the “date and time of the server request” and the “address of the requested page on our website” are stored in log files. These data are not stored together with other personal data.

 

3.2.2 Legal Basis

 

The legal basis for this processing is Article 6(1)(f) GDPR.

 

3.2.3 Purpose of Processing

 

Processing the IP address is necessary to deliver the website to the user’s device. Log file storage is used for monitoring system security and stability.

 

3.2.4 Storage Duration

 

Personal data stored in log files is usually deleted after 7 days. In exceptional cases, longer retention may occur if necessary for the stated purposes.

 

3.2.5 Right to Object and Removal

 

The provisions of Article 21 GDPR apply regarding the right to object to processing based on legitimate interests. Since this processing is essential for the functionality and security of our IT systems, objection is generally not possible.

 

3.3 Session Assignment

 

When using our website, so-called session cookies may be stored in your browser.

 

3.3.1 Scope of Processing

 

Our system assigns your browser a random unique identifier stored in a cookie for the duration of your session. This identifier may be linked to other data collected via the website but cannot be used to identify users personally. The cookie is valid only for our site and cannot track your activity on third-party websites.

 

3.3.2 Browser Storage and Access

 

The following cookies may be stored and accessed in your browser:

Name	Duration	Third-Party Access	Domain	Type
__Secure-PHPSESSID	Session	No	*.aygonet.org	First-party cookie
KEY___Secure-PHPSESSID	Session	No	*.aygonet.org	First-party cookie
activeLng	13 months	No	*.aygonet.org	First-party cookie

 

3.3.3 Legal Basis

 

The legal basis is Article 6(1)(f) GDPR.

 

3.3.4 Purpose

 

Session identifiers allow the system to assign requests to the correct browser. This is necessary for managing permissions, accessing protected areas, and maintaining login states—constituting a legitimate interest.

 

3.3.5 Storage Duration

 

Session data is deleted at the end of the session or after one hour of inactivity.

 

3.3.6 Right to Object and Removal

 

The right to object under Article 21 GDPR applies, but since this processing is essential for website functionality, objection is typically not possible.

 

3.4 Use of the Counseling Platform

 

The counseling platform is designed to minimize the processing of personal data. However, some processing may still be necessary.

 

3.4.1 Scope of Processing

 

The scope depends on the specific purpose:

 

3.4.1.1 Creating a User Account

 

To use the platform, users must create an account with the following information:

• Username
• Password
• Email address – optional

These details can be changed at any time after login.

 

3.4.1.2 Resetting the Password

 

Password resets are only possible if an email address was provided. A recovery link can be sent by email. For counselors, accounts must be activated by an administrator. Previous consultation histories can only be accessed after entering the QR code. For clients, only the counselors can unlock and re-encrypt the account. Sending new messages is possible even before consultation histories are decrypted.

 

3.4.1.3 Initial Inquiry and Ongoing Counseling

 

After registration, users can send an initial message to the counseling center. Until assigned, all counselors can view the message. Once assigned, only the selected counselor will typically have access. All messages are encrypted before storage. Metadata such as usernames and timestamps are stored unencrypted. Data restoration is possible in exceptional cases.

 

3.4.1.4 Counseling Documentation

 

The counselor may document the session. These records are encrypted and accessible only to the assigned counselor.

 

3.4.1.5 Transfer of Counseling Cases

 

If a counselor is unavailable, a session may be transferred to another with the user’s consent. The new counselor cannot access prior messages or documentation until the transfer is approved.

 

3.4.1.6 Supervision

 

A supervisor may be involved in ongoing counseling sessions upon the user’s approval, e.g., in conflict situations. The supervisor’s access ends after supervision concludes.

 

3.4.1.7 Group Counseling

 

Counselors can configure privacy settings in group counseling, such as hiding participant names or restricting responses. Groups can only be created by counselors, and joining is by invitation. If a client deletes their account, their messages remain, but their name and profile picture are removed.

 

3.4.2 Legal Basis

 

The processing of personal data for counseling purposes is based on Article 6(1)(b) GDPR, as part of the contract formed through registration. Special categories of personal data are processed under Article 9(2)(h) GDPR by qualified staff bound by confidentiality under Article 9(3) GDPR. The permanent storage of deleted usernames is based on Article 6(1)(f) GDPR.

 

3.4.3 Purpose

 

Data is processed for the purpose of providing counseling and fulfilling the contractual relationship. Usernames of deleted accounts are retained to prevent impersonation or reuse.

 

3.4.4 Storage Duration

 

Data remains stored until the user deletes their account. Counseling records and usernames are excluded from deletion. Inactive accounts are automatically deleted after 24 months unless this setting is disabled.

 

3.4.5 Right to Object and Removal

 

Users can end use of the platform and delete their account at any time via account settings. All messages and account data will then be deleted immediately, except the username and counseling documentation, which are retained.