I. General Information

1. Contact

If you have any questions or suggestions regarding this information or if you would like to exercise your rights, please contact us at:

eTherapists GmbH
Invalidenstraße 117, 10115 Berlin, Germany
Email: dataprivacy.support@humanoo.com

2. Legal basis

The term “personal data” in data protection law refers to any information relating to an identified or identifiable natural person. We process personal data in compliance with the applicable data protection regulations, in particular the GDPR and the BDSG. We only process personal data on the basis of a legal permission. We process personal data only with your consent (Art. 6 para. 1 letter a GDPR), for the performance of a contract to which you are a party or for the performance of pre-contractual measures at your request (Art. 6 para. 1 letter b GDPR), to comply with a legal obligation (Art. 6 para. 1 letter c GDPR), or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data override (Art. 6 para. 1 letter f GDPR).

3. Duration of storage

Unless otherwise stated in the following information, we will only store data for as long as is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law regulations. We will retain personal data that is contained in our accounting data for ten years from the end of the calendar year in which the data was collected, and personal data contained in commercial correspondence and contracts for six years. In other cases, we will keep data related to consent obligations and claims for the duration of the legal limitation periods. Data that we process on the basis of your consent will be deleted if you object to the processing for this purpose.

4. Categories of data recipients

As part of the processing of your data, we use processors. Processing operations carried out by such processors include, for example, hosting, email delivery, maintenance and support of IT systems, customer and order management, order processing, accounting and invoicing, marketing measures, or document and data destruction. A processor is a natural or legal person, authority, agency or other body that processes personal data on behalf of the controller. Processors do not use the data for their own purposes, but carry out the data processing exclusively for us as the controller and are contractually obliged to ensure appropriate technical and organizational measures for data protection. In addition, we may transmit your personal data to entities such as postal and delivery services, banks, tax consulting/auditing companies or tax authorities. Further recipients may result from the following information.

5. Data transfer to third countries

Our data processing may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable. Such a transfer is permissible if the European Commission has determined that an adequate level of data protection is provided in such a third country. If such an adequacy decision by the European Commission is not available, a transfer of personal data to a third country only takes place if suitable safeguards are provided in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met. An adequacy decision applies to the following countries: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. For data transfers to the U.S., the adequacy decision applies to companies certified under the Privacy Framework and listed on this list (https://www.dataprivacyframework.gov/s/participant-search).

Unless otherwise stated below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data to third countries. You have the option to receive or view these EU standard contractual clauses in copy. Please contact the address provided under contact.

If you consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Art. 49 para. 1 letter a GDPR.

6. Processing when exercising your rights

When you exercise your rights under Art. 15 to 22 GDPR, we process the personal data transmitted to us for the purpose of implementing these rights and to be able to provide proof thereof. Data stored for the purpose of providing information and its preparation will only be processed for this purpose and for the purposes of data protection control, and in all other cases, processing will be restricted.

These processing activities are based on the legal basis of Art. 6 para. 1 letter c GDPR i.V.m. Art. 15 bis 22 GDPR and § 34 para. 2 BDSG.

7. Your Rights

As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:

• You have the right, in accordance with Art. 15 GDPR and § 34 BDSG, to request information as to whether and to what extent we process personal data concerning you or not. You can exercise your right to information within the app under “Account”, “Manage Account”, “Request Data”.
• You have the right, in accordance with Art. 16 GDPR, to request us to correct your data.
• You have the right, in accordance with Art. 17 GDPR and§ 35 BDSG, to request us to delete your personal data. You can exercise your right to deletion within the app under “Account”, “Manage Account”, “Delete Account”.
• You have the right, in accordance with Art. 18 GDPR, to restrict the processing of your personal data.
• You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to another controller.
• If you have given us separate consent for data processing, you can revoke this consent at any time in accordance with Art. 7 para. 3 GDPR. Such a revocation shall not affect the lawfulness of processing carried out on the basis of the consent before its revocation.
• If you believe that the processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

8. Right to object

According to Art. 21 para. 1 GDPR, you have the right to object to processing based on Art. 6 para. 1 letter e or f GDPR, for reasons arising from your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 para. 2 and para. 3 GDPR.

9. Data Protection Officer

You can reach our Data Protection Officer at the following contact details:

Email : datenschutz@humanoo.com

Herting Oberbeck Datenschutz GmbH

Hallerstr. 76, 20146 Hamburg

www.datenschutzkanzlei.de

II. Data processing when using HUMANOO

1. Processing of personal data – overview

Personal data are all information relating to an identified or identifiable person. This includes information that can directly identify you, such as your name or photo. In addition, there is information that can indirectly reveal information about you, such as information about your body, impairments or complaints, as well as information about your leisure activities or data that you provide during use to improve quality. Pseudonymous information, i.e. information disclosed without mentioning your name, also falls under personal data. In data protection law, the IP address is generally considered to be personal data. An IP address is assigned by the Internet provider to any device connected to the Internet so that it can send and receive data. Health data are personal information that directly or indirectly provide information about a person’s health. This includes information about physical well-being/complaints, information about mental/psychological health. Health data are considered special categories of personal data and are subject to a particularly high level of protection.

When using HUMANOO, we collect information that you provide yourself. In addition, certain information about your use is automatically collected by us. In the following, we describe in detail which data we process about you for what purposes.

2. Cookies

We use cookies and similar technologies (‘cookies’) in our app. Cookies are small data records that are stored on your device when you use our app.
The use of cookies is partly technically necessary for the operation of our app and is therefore permitted without your consent. In addition, we would like to use cookies to offer special functions and to analyse our app and its use. These may also include cookies from third-party providers (so-called third-party cookies). You can find more information on this in this privacy policy. We only use such technically unnecessary cookies with your consent in accordance with § 25 (1) TDDDG and, if applicable, Art. 6 (1) (a) GDPR. Information on the purposes, providers, and storage duration of individual cookies can be found in the following table:

Cookie: Crashlytics
Provider: Google Ireland Limited (Ireland/EU)
Purpose: Improve app quality – transfer of app crash logs
Storage duration: Until the app is reinstalled/deleted

Cookie: Google Analytics for Firebase
Provider: Google Ireland Limited (Ireland/EU)
Purpose: Personalization – click tracking to adapt/personalize features and content
Storage duration: Until the app is reinstalled/deleted

Cookie: Clevertap
Provider: WizRocket Inc. (USA)
Purpose: Personalization – click tracking to adapt/personalize features and content
Storage duration: Until the app is reinstalled/deleted

You can change your cookie preferences at any time and revoke your consent. You can find the revocation option in the app under Menu >> Account >> Settings >> Personalization.

3. Downloading the app

When downloading the app, certain required information is processed by the app store you have selected (Google Play or Apple App Store), including the username, email address, customer number of your account, the time of download, and the unique device number. The processing of this data is carried out exclusively by the provider of the respective app store and is beyond our control.

4. Registration and setting up a HUMANOO app user account

To use one of our HUMANOO services, you must set up a HUMANOO user account. For registration, we typically collect your email address, IP address, and password. The login data that you enter to use the HUMANOO services is stored on European servers by eTherapists GmbH’s service provider.

You can decide how you want to register your user account during the registration process. We offer the following options for registering your user account:

a. Setting up a user account with an email address

Setting up a user account and using the HUMANOO service is possible using an email address.

b. Setting up a user account with a Google account

If you use the option to log in via Google, your email address and first name will be transmitted to us from your Google account. We only use this data for the purpose of registration and login. In return, Google can recognize when and how you logged in to HUMANOO through the log-in service. There is no further sharing of your use of content or services provided with Google.

c. Setting up a user account with “Sign in with Apple”

If you use the “Sign in with Apple” option, you can choose whether to transmit the email address associated with your Apple ID or a private relay address (alias) to us. The private relay address automatically forwards all emails from us to the email address associated with your Apple ID. Further information on “Sign in with Apple” can be found here: https://support.apple.com/de-de/HT210318 . There is no sharing of your use of HUMANOO content or services provided with Apple by us.

The data processing is carried out to fulfill the service and is based on the legal basis of Art. 6 para. 1 letter b GDPR.

5. Data processing when using the app

a. Automatic processing of personal data when using the app

When you use our app, we collect the following data that is technically necessary for us to provide you with the functions of our app and to ensure stability and security:

• IP address
• Date and time of the request
• Time zone difference to Coordinated Universal Time (UTC)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred
• User agent of the app
• Operating system and its interface
• Language and version of the app.

The legal basis for the processing of this data is Art. 6 para. 1 letter f GDPR and it serves our legitimate interest in the security and stability of our app.

The infrastructure is operated on servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg/EU). AWS acts as a data processor and may only process the data in accordance with our instructions. When using AWS, a transfer of your personal data to the USA cannot be ruled out. Please refer to the section “Transfer of data to third countries” for more information. In addition, we use the New Relic service of New Relic, Inc. (USA) to evaluate access and ensure data security, which processes the data exclusively as a processor. In this context, a transfer of data to the USA cannot be ruled out. Please refer to the section “Transfer of data to third countries” for more information.

b. User profile and content data

We process the data that you provide us in your user profile and the data that we collect and process when using the app. Your information in the user profile, such as weight, movement data or dietary habits (only if you voluntarily provide them to us), usage behavior and, under certain circumstances, also access rights to your smartphone (e.g. if you want to upload a profile photo). The data processing is carried out in order to provide you with our service and is based on the legal basis of Art. 6 para. 1 letter b GDPR.

We store the user profiles and the data collected when using the app in CleverTap, a service provided by WizRocket Inc. (USA), which is contractually obliged as a processor to process the data exclusively in accordance with our instructions.

Personalized Communication
In CleverTap, we can analyze data in order to send push notifications based on user behavior and to customize the content of mailings. The data is only evaluated for this purpose and the personalized notifications are only sent if you have given your consent. The legal basis for this is Art. 6 Para. 1 Letter a of the GDPR. The legal basis for accessing your end device is § 25 Para. 1 TDDDG. You can revoke your consent at any time with effect for the future. You can find the cancellation option in the app under Menu >> Account >> Settings >> Personalization.

Non-personalized Communication
In CleverTap, we can send push notifications to you as a user to motivate you. An evaluation of your use does not take place for this purpose. The legal basis for displaying the notifications is our legitimate interest in accordance with Art. 6 para. 1 letter f GDPR in a clear user administration and a motivating address for our users.
When using CleverTap, a transfer of data to the USA cannot be ruled out. See the section ‘Data transfer to third countries’.

c. Health data

When using our services, processing of health data under Art. 9 para. 1 GDPR cannot be ruled out. The processing is carried out in order to provide our services. The processing of health data is only carried out with your consent under Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR. The consent is voluntary. If you do not provide your consent, we cannot provide the service offered. There are no further disadvantages. You can revoke your consent at any time by navigating to the Account section in the app menu. Here you will find the Settings section, where you can revoke or change your consent.

d. Anonymization

We reserve the right to anonymize your personal data so that it can subsequently be used for evaluation and optimization purposes. Your data will be anonymized on the basis of the consent you gave us when you registered. The legal basis is Art. 6 (1) (a) GDPR in conjunction with Art. Art. 9 para. 2 letter a GDPR. You can withdraw your consent at any time by navigating to the Account section in the app via the menu. Here you will find the Settings section, where you can revoke or change your consent. Please note that withdrawing your consent means that you will no longer be able to use our service. The use of our service is voluntary.

e. Use of activity information from connected accounts and third parties

You can import activity information from other platforms into your HUMANOO app. You must expressly agree on these platforms that you want to link these platforms with your user account to import this data. You also have the option to determine which data should be imported. You can link the following providers/platforms to your HUMANOO user account:

i. Apple Health App

With an iPhone, you can record activity and health data or import it from different apps into the Apple Health app. You must expressly agree to share this data with HUMANOO or allow HUMANOO to export data to Apple Health. You can revoke the authorization at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR and can be revoked at any time.

ii. Google Fit App

With an Android smartphone, you can record activity and health data or import it from different apps into the Google Fit app. You must expressly agree to share this data with HUMANOO or allow HUMANOO to export data to Google Fit. You can revoke the authorization at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR. Humanoo’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. The app requests the following authorizations for the corresponding purpose:

• Permission: Information about “Fitness Location”Purpose: To record your data for step, running, and cycling challenges. Your location will not be queried by us.
• Permission: Information about “Fitness Activity”Purpose: This allows us to differentiate between different types of activity and to query the relevant data (steps, running, cycling, heart points) for challenges and training minutes of the “weekly progress” and use it.
• Permission: Information about “Fitness Body”Purpose: This allows us to obtain information about your height and weight in order to display steps, distances, and your personal health statistics in your profile.

You can change the authorization at any time. The exchange will only take place with your consent in accordance with Art. 6 Para. 1 letter a DSGVO in conjunction with Art. 9 Para. 2 letter a DSGVO, which you give to Google and which you can revoke at any time.

iii. Thryve Health SDK

Thryve, a service from mHealth Pioneers GmbH (Germany/EU), allows you to connect and import activity data from various sources. These include the manufacturers Garmin, Fitbit, Polar, Withings and others. It also includes sensors from your cell phone or smartwatch.

After your explicit consent to share your data that is processed by your manufacturer or that should be queried from your mobile phone or smartwatch, we receive only a key from mHealth Pioneers GmbH for unique assignment of this data to your profile. You can determine the extent of the data yourself depending on the manufacturer. We do not receive any further profile information, such as the email address of your user account used with the manufacturer of your fitness tracker. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR and can be revoked at any time with the manufacturer of your wearable.

f. Consultation with health experts and support

The HUMANOO service offers you the opportunity to contact one of our health experts or support staff via email. The use of consultation with health experts is voluntary. If you choose to use the service of an individual consultation with a health expert, they will be able to view the health data you have stored in the HUMANOO service.

When using our customer support, our support staff may access data from your user account in order to support you. The data processing is generally carried out to fulfill the service and is based on the legal basis of Art. 6 para. 1 letter b GDPR. Your health data is processed on the basis of the consent you gave us when you registered. The legal basis is Art. 6 para. 1 letter a GDPR in conjunction with Art. Art. 9 para. 2 letter a GDPR.

For communication with our experts, we use the Freshdesk tool provided by Freshworks Inc. (USA). As a result, data transfer to the USA is not excluded. See the section “Data transfer to third countries” for more information.

g. Transactional emails, notifications and product updates

We will send you regular emails about the features and updates of our product. We also send transactional and notification emails. These are not promotional communications, but information about your account or our product. In doing so, personal data such as your name and email address will be processed. We base the sending of these emails on our legitimate interest in providing information about existing and new services and in the technical maintenance of our services. The legal basis is Art. 6 para. 1 letter f GDPR.
You can object to receiving product updates by unsubscribing using the link in the email.
The emails are sent via the Sengrid service of Twilio Ireland Limited, a subsidiary of Twilio Inc (USA). As a result, data transfer to the USA cannot be ruled out. Twilio has binding corporate rules that have been approved by the supervisory authority and ensure an adequate level of data protection.

We also analyze the reading behavior and opening rates of our product updates. For this purpose, we collect and process pseudonymized usage data that we do not merge with your email address or IP address. The legal basis for analyzing our updates is 6 para. 1 letter f GDPR, and the processing serves our legitimate interest in optimizing our updates. You can object to this at any time by contacting us using the contact channels mentioned above.

h. Personalization (Google Analytics for Firebase)

We use the Google Analytics for Firebase service from the provider Google Ireland Limited (Ireland/EU) in our app. The Google Analytics for Firebase service is a feature of the Google Firebase development platform. Google Analytics is an analysis service that enables us to collect and analyze data on the behavior of users of our app in order to compile reports on activities within our app. In the process, personal data is processed in the form of online identifiers, IP addresses, device identifiers, and information on interactions with our app. For more information on data collection in Google Analytics, please visit: https://support.google.com/firebase/answer/6318039 . The data is transmitted to Google Ireland and processed by Google exclusively on our behalf.

Some of this data may be information stored on your device. Additionally, Google Analytics may store additional information on your device. Such storage of information by Google Analytics or access to information already stored on your device is only done with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Art. 6 para. 1 letter a GDPR. The legal basis for access to your device is § 25 para. 1 TTDDG. You can revoke your consent at any time with effect for the future. The revocation option can be found in the app under Menu >> Account >> Settings >> Personalization.

Google Analytics stores certain data associated with an advertising ID for 60 days and retains aggregated reporting without automatic expiration. The retention of user-level data, including conversions, is set to up to 14 months. For all other event data, the retention is set to 2 months. Data transfer to the USA is not excluded. Please refer to the section “Data transfer to third countries.”

i. Quality improvement (Google Crashlytics)

In our app, we use the Firebase Crashlytics service provided by Google Ireland Limited (Ireland/EU). Firebase Crashlytics is a function of the Google Firebase development platform, which is a crash reporting service that helps us improve the stability and reliability of our app. To do this, various data is collected and summarized in crash reports and sent to us. The data is transmitted to Google Ireland for this purpose and processed by Google exclusively on our behalf.

Some of this data may be information that is stored on your device. Access to information that is already stored on your device will only be done with your consent. The legal basis for accessing the device is § 25 para. 1 TDDDG. If personal data is processed, the legal basis in this case is Art. 6 para. 1 letter a GDPR.

Crash reports are only sent with your explicit consent. If you are using an iOS app, you can give your consent in the app settings or after a crash. In Android apps, there is the option to generally agree to the transfer of crash notifications to Google and app developers during the setup of the mobile device.

You can revoke your consent at any time with effect for the future. The revocation option can be found in the app under Menu >> Account >> Settings >> Quality Improvement.

This data is stored for a maximum of 90 days. Data transfer to the USA is not excluded. See the section “Data transfer to third countries” for more information.

6. Further data processing within the HUMANOO app

a. 1-on-1 Video Coaching

You have the option of booking a video conference with a professional coach. This requires access to the camera and microphone. The data processing only takes place if you make use of this function, is then generally necessary for the fulfillment of the service and is based on the legal basis of Art. 6 para. 1 letter b GDPR. Your health data is processed on the basis of the consent you gave us when you registered. The legal basis is Art. 6(1)(a) GDPR in conjunction with Art. Art. 9 para. 2 letter a GDPR. The infrastructure is operated on servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg/EU). AWS acts as a processor and may only process the data in accordance with our instructions. When using AWS, a transfer of your personal data to the USA cannot be ruled out. Please note the information in the section “Data transfer to third countries”

b. Optional Paid Services

Your payment information will only be processed if you use paid services. This occurs, for example, when redeeming rewards or making purchases in our online shop. When redeeming rewards, only your IBAN is processed in addition to your name, and then it is deleted. For our online shop, we process name, address, telephone number, email address, and payment information (IBAN). The data processing is carried out for the performance of the contract and is based on the legal basis of Art. 6 para. 1 letter b GDPR.For our online shop, we use the Shopify shop system for hosting, presentation, and processing of purchases. Shopify is provided by the service provider Shopify International Limited (Ireland). All data collected on our website is processed on behalf of us on the servers of Shopify International Limited. As part of the above services, data may be transmitted to the company Shopify Inc. in Canada for further processing on behalf of us. For the transfer of data to Canada as a third country, where the GDPR is not applicable law, there is an adequacy decision of the European Commission. The European Commission has decided that there is an adequate level of protection in Canada, and data transfer can be carried out in an admissible manner. To pay for products ordered in our online shop, you can choose from various options. To do this, we work with various payment providers. The payment data provided by you during the ordering process is transmitted by us to the payment service provider if this transfer is necessary to carry out the payment transaction.

The legal basis for these data processing activities is Art. 6 para. 1 letter b GDPR. Please note that the respective payment information is processed by the relevant payment service providers as a controller.

We use the following payment service providers:

• PayPal
  You have the option to pay via the PayPal service of PayPal Europe S.a.r.l. et Cie s.c.a. (Luxembourg, EU). PayPal may provide us with your address data stored with PayPal, which we use exclusively to process the contract. For more information on data protection at PayPal, please visit: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE#r5 .
• Stripe
  You have the option to use the Stripe payment service, offered by Stripe Payments Europe Ltd. (Ireland, EU). For more information on data protection at Stripe, please visit: https://stripe.com/de/privacy#translation .

c. Submitting medical bills

We offer you the option of submitting medical bills directly to Hallesche Versicherung. With your consent, we will transmit your data to Hallesche Versicherung. The legal basis for the transfer is Art. 6 para. 1 letter a in conjunction with Art. 9 para. 2 letter a GDPR. Consent is voluntary. We cannot offer you this service without consent. Alternatively, you can submit your invoice yourself. Hallesche Versicherung is responsible for the subsequent data processing. You can find further information on this at: https://www.hallesche.de/datenschutz.

7. Communication via email, phone, etc.

When you contact us (e.g., via email or phone), the information of the requester, such as first name, last name, address, telephone number, email address, and the content of your message, is processed to handle the contact request and its processing in accordance with Art. 6 para. 1 letter b GDPR. This is done in order to communicate with you, such as by answering your questions, processing orders, or providing you with the desired information. For our internal communication, we use Google Workspace provided by Google Ireland Limited (Ireland/EU). As a result, data transfer to the USA is not excluded. See the section “Data transfer to third countries” for more information. We use the Sendgrid service provided by Twilio Inc. (USA) to send transactional and notification emails. As a result, data transfer to the USA is not excluded. Twilio has binding corporate rules that have been approved by the supervisory authority and ensure an adequate level of data protection.

8. Anonymization and sharing with companies, insurers and health insurance funds

We work together with companies, insurers and health insurance providers (HUMANOO-ID issuers) who would like to make the HUMANOO app available to you as an employee or member to improve your health. As an employee or member, you are free to register with us. It is not necessary to use your work email address when registering in the app. Your professional e-mail address may only be required when requesting your HUMANOO ID.

Personal data will not be passed on to companies, insurers or health insurance companies. The data will only be analyzed anonymously and, if necessary, processed to create a completely anonymous health report for your HUMANOO-ID issuer. In this case, anonymity is ensured by the fact that we only create reports if more than 15 people within a company or department use our app. This means that it is not possible to draw conclusions about your personal state of health based on the use of our app and our services.

9. Users of our services from Switzerland

If you are a person within the scope of the Swiss Federal Act on Data Protection, the provisions of the Federal Act on Data Protection apply. This applies in particular to the applicable data subject rights under Art. 25-29, 32 FADP. In addition, the provisions of the GDPR and the FDPA are declared applicable and the applicable data protection laws apply.
Data processing also takes place in the following countries outside Switzerland
Federal Republic of Germany
United States of America (USA)
We guarantee an appropriate level of data protection. This is ensured by
an established adequate level of data protection pursuant to Art. 16 para. 1 FADP (DSG) for the recipient country standard data protection clauses that the FDPIC (EDÖB) has approved, issued or recognized as a matter of priority, in particular the standard contractual clauses of the European Commission; an international treaty in which an adequate level of data protection is regulated.