Privacy Statement
1. Introduction
This Privacy Policy explains how Careons B.V. handles personal data in connection with the CareOns Rapportage Assistent Chrome Extension (the “extension”).
CareOns Rapportage Assistent is a Chrome Extension for care professionals working with supported Electronic Care Record (ECD) systems. The extension adds a CareOns chat bubble to supported care portals, so users can get help writing, improving, and clarifying reports without leaving their existing workflow.
We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch and European data protection law, including NEN 7510 requirements for the protection of health information in care settings.
2. Who We Are
The extension is provided by:
- Company
- Careons B.V. (part of Mysoly Group B.V.)
- Address
- Ambachtweg 17a, 5731 AE Mierlo, the Netherlands
- info@careons.nl
- Website
- https://careons.nl
3. Controller and Processor
When the extension is used by care professionals within their organisation's ECD system, the care organisation is the data controller for the personal data of clients and care professionals. Careons B.V. acts as a data processor in that context, processing this data only on behalf of the care organisation and in accordance with the applicable Data Processing Agreement (DPA).
For operating the CareOns service itself — including account management, authentication, security, and technical support — Careons B.V. acts as the data controller.
4. Purpose of the Extension
The extension has one clear purpose: to support care professionals with writing, improving, and clarifying reports inside supported ECD systems through the CareOns chat bubble.
The extension is not used for advertising, general tracking, credit scoring, or selling user data.
5. What Data We Process
The extension only processes data that is necessary for the CareOns Rapportage Assistent to function.
Account and sign-in information
When a user signs in, the extension processes the information needed to authenticate the user and give access to the CareOns service, such as the account credentials and organisation. This is stored locally in the browser only to keep the user signed in and is not used for advertising or unrelated purposes.
Chat messages and report text
Text entered in the CareOns chat bubble or submitted for improvement is processed only to deliver the requested support. Care-related text is treated as sensitive data and is not used for advertising, profiling, or shared with third parties for unrelated purposes.
Audio and transcription
The microphone is optional. It is only activated when the user explicitly starts a recording. Audio may be temporarily processed to convert speech to text, which is then used for the report suggestion. The extension never listens in the background and never starts a recording automatically.
ECD page content
The extension works only on websites explicitly configured for use with CareOns. It detects the correct reporting field, displays the chat bubble, and places generated text in the right field. It does not collect general browsing history.
6. Data We Do Not Collect
The extension does not collect:
- Financial or payment information
- GPS location data
- General web browsing history
- Content from websites not configured for use with CareOns
- Mouse movement, scroll behaviour, or keystroke logs
- Data for credit scoring or lending purposes
7. Data Retention
We do not keep personal data longer than necessary for the purposes described in this policy or as required by law.
| Data category | Retention period | Basis |
|---|---|---|
| Local session data | Until sign-out, extension removal, or browser data cleared | Contractual necessity |
| Audio recordings | Deleted immediately after transcription | Data minimisation ‒ GDPR Art. 5 |
| Chat and report text | Processed only to deliver the requested function; not stored beyond the session unless legally required. | Data minimisation ‒ GDPR Art. 5 |
| Security and audit logs | Maximum 12 months | NEN 7510 / NIS2 / GDPR |
8. Sharing of Data
We do not sell user data. We do not share data with third parties for advertising, tracking, credit scoring, or unrelated purposes.
Data is shared only when strictly necessary to deliver the CareOns service. The sub-processors we use are:
| Sub-processor | Role | Safeguards |
|---|---|---|
| AWS (EU region) | Cloud hosting and infrastructure | ISO 27001 certified; GDPR DPA in place; data hosted in EU (Frankfurt / Ireland) |
| Careons B.V. | AI processing for report generation | Internal group entity; subject to Mysoly Group ISMS controls and AI data masking procedures |
| Google Gemini AI | Text generation | Data masking applied; no personal identifiers shared |
| Whisper | Speech-to-text vendor | Data masking applied by default; no personnel ID shared |
All sub-processors are reviewed at least annually as part of our information security management system. Where sub-processors handle personal data on behalf of Careons B.V., appropriate data processing agreements and safeguards are in place.
9. Security & Liability
Careons B.V. takes appropriate technical and organisational measures to protect personal data. These include:
- Encryption of data in transit and at rest
- Role-based access control and multi-factor authentication
- Audit logging of access to health-related data
- Data minimisation and pseudonymisation where possible
- Regular security reviews and penetration testing
Our information security management system is certified to ISO 27001:2022 and aligned with NEN 7510:2024, audited by TÜV NORD.
§ Limitation of Liability
While Careons B.V. implements appropriate security measures to protect personal data, no digital system can be guaranteed to be completely secure. Careons B.V. shall not be liable for damages resulting from circumstances beyond its reasonable control, including cyber incidents or infrastructure failures, except where liability arises from wilful misconduct or gross negligence as defined by applicable law.
10. Legal Basis for Processing
Depending on the context, we process personal data under one or more of the following legal bases:
- Performance of a contract ‒ providing access to the service and delivering report assistance (GDPR Art. 6(1)(b)).
- Legitimate interest ‒ maintaining the security and integrity of the service (GDPR Art. 6(1)(f)).
- Consent ‒ use of the optional microphone feature (GDPR Art. 6(1)(a)). You can withdraw consent at any time in your browser settings.
- Legal obligation ‒ compliance with applicable data protection and security law (GDPR Art. 6(1)(c)).
Where care-related content (health data) is processed, the additional condition under GDPR Art. 9(2)(h) applies ‒ processing for the provision of health or social care.
11. Your Rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate personal data
- Request deletion of your personal data
- Restrict or object to processing
- Request data portability
- Withdraw consent where processing is based on consent
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
To exercise any of these rights, contact the responsible officers listed in the next section. We will respond within one month.
12. Data Protection Contact
For questions regarding personal data processing, privacy matters, or to exercise your rights under the GDPR, please contact the responsible officers below:
For general inquiries, you can also reach us at info@mysoly.com or info@careons.nl.
13. Changes to This Privacy Policy
We may update this Privacy Policy when the extension, legal requirements, or our data practices change. The latest version is always available through the Chrome Web Store listing or at https://careons.nl.
For significant changes, we will inform users via the extension or by email.
Questions? Contact us at info@careons.nl