Privacy policy
Version of 01.10.2023
Controller for data processing according to GDPR
The controller within the scope of the General Data Protection Regulation and other privacy laws applicable in the Member States of the European Union and other data protection provisions (Schengen Data Protection Act, SDPA) is:
Pathmate Technologies AG
Josefstr. 219
8005 Zurich
Switzerland
Pathmate Technologies GmbH
Julius-Hatry-Str. 1
68163 Mannheim
Germany
Together hereinafter referred to as “Pathmate”.
Email: datenschutz@pathmate-technologies.com
Data protection tel.: +49 2505 639797
Data protection officer: Nils Möllers, Keyed GmbH
1 Introduction
Thank you for your interest in the data processing practices of Pathmate. This privacy policy explains in detail how we collect, store and process data. It outlines which personal data Pathmate collects in conjunction with use of the Sonoa app and how Pathmate processes this data.
Pathmate processes personal data on the basis of various provisions of law pursuant to Article 6(1) GDPR. We inform you about this in detail so that you can decide whether you want to consent to the processing of your data. On using the app and its contents for the first time, you indicate that you understand and give your implied consent to the various purposes of this privacy policy.
2 What is personal data?
The term “personal data” is defined in the German Privacy Act (Bundesdatenschutzgesetz, BDSG), the Schengen Data Protection Act (SDPA) and in the European Data Protection Regulation (EU GDPR). As defined in these sources, personal data is personal or factual information that relates to an identified or identifiable individual. This includes, for example, your civil name, your address, your telephone number or your date of birth. Use of the app also involves the collection of special personal data, such as blood pressure or BMI. Pathmate implements stricter measures in this case to ensure an appropriate level of protection in accordance with Article 32 of the GDPR.
3 Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing operations involving personal data, point (a) of Article 6(1) GDPR and point (a) of Article 9(2) GDPR serve as the legal basis for the processing of personal data.
If processing of personal data is necessary for the performance of a contract to which the data subject is party, point (b) of Article 6(1) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures or are required for support queries.
If processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, point (c) of Article 6(1) GDPR serves as the legal basis.
If processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Article 6(a) GDPR serves as the legal basis.
If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, point (f) of Article 6(1) GDPR serves as the legal basis for processing.
4 Which data is collected for a specific purpose?
4.1 Data processing after complete registration
Pathmate collects, stores and processes data that you provide to Pathmate or that you transmit by using and signing up for the app. We process the following personal data for the purpose of communication and processing on the basis of point (b) of Article 6(1) GDPR:
- Optional: First name, last name
- Pseudonym / Nickname
- Date of birth
- Sex
- Email address
- Optional: Name of the insurance company;
- Optional: Policy number (separate consent is requested in the application);
- Optional: Consent to the receipt of notifications (separate consent is requested in the application);
- Text entered in the chat, answers to questions in the chat and quiz questions.
We process the following personal data for the purpose of analysing user behaviour, optimising the app and troubleshooting on the basis of point (f) of Article 6(1) GDPR:
- Meta/communication data, e.g. duration and frequency of visits, device information, operation system, IP addresses, server log files
- Data on usage of the app (including data on information viewed)
- Communication with us via phone, email, text message (texts, push notifications, etc.)
- Individualised and personal/anonymous and group-related identification, classification and analysis of current and potential user requirements and user interests
- Individualised and personal/anonymous and group-related classification and analysis of user potential
We process the following special personal data for the purpose of providing the app functions and optimising the app on the basis of point (a) of Article 9(2) GDPR:
- Relevant medical measurements for the indications supported, e.g. weight, blood pressure, blood sugar levels, HbA1c, sleep records, well-being
- Details on illnesses/health problems, e.g. high blood pressure or type 2 diabetes
- Medication
We receive the following personal data through your release / linking with our app for the purpose of providing the app functions and optimising the app on the basis of based on Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR.:
- Health data (e.g. blood pressure, pulse) from Google Fit (Android), Apple Health (iOS), Withings or Omron Connect.
- Activity data (e.g. steps) from Google Fit (Android), Apple Health (iOS), Fitbit, Withings, Garmin Connect or Polar Flow
4.2 Information offered before registration is completed
We would like to give our users the opportunity to stay informed if, for example, the user's health insurance does not yet support Sonoa or if new opportunities to use Sonoa arise (e.g. if Sonoa were to be included in the Digital Health Application (DiGA) directory and new access opportunities arise, e.g. through a prescription and prescription by the doctor). This means, for example, that if your insurance company supports Sonoa in the future or if we want to send an access code to selected users, you will be informed. We also inform our users when Sonoa is available as a DiGA. For this purpose, we process your contact data for the purpose of promotional communication pursuant to Art. 6 para. 1 lit. a) GDPR, such as the email address.
5 Disclosure to third parties
We may share your data with third parties who process the data on behalf of Pathmate for the processing purposes set out in this privacy policy. Our employees only have access to your data to the extent required for the fulfilment of their tasks. Arrangements are in place to ensure that contracted companies do not use your data independently, outside the scope of the contract, or pass it on to third parties. Where necessary, Pathmate has entered into data processing contracts with all such third parties in accordance with the guidelines of the European Commission, pursuant to which they undertake to comply with the data privacy rules.
If we consider it necessary in order to protect and defend our rights or property, we can also pass on your personal and health data in order to comply with the applicable laws and regulations, in case of legal proceedings, at the request of relevant courts and authorities or due to other legal obligations.
5.1 Hosting via gridscale GmbH
All data related to the use of the Sonoa app is hosted in Switzerland with a specialised server hosting company. The hosting services we use are for the provision of the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating the Pathmate system. The processor for hosting services is: gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.
5.2 Use of Thryve Health SDK
Thryve is a provider of single-access health monitoring data. It includes manufacturers such as Garmin, Fitbit, Polar, Withings, Misfit and others, but also sensors from your mobile phone or smartwatch. This service is operated by mHealth Pioneers GmbH, Körtestrasse 10, 10967 Berlin. In particular, we have concluded agreements with Thryve on subcontracted data processing that meet the requirements of Art. 28 GDPR and issue Thryve with instructions on how to handle the data. Through careful selection and regular monitoring, we ensure that our service providers take all organisational and technical measures necessary to protect your data.
After your explicit consent to share your data that is processed by your manufacturer, we only receive a key from mHealth Pioneers GmbH to uniquely assign this data to your profile. You can choose how much data you want to share with each manufacturer.
Legal basis
Data processing and data provision is based on your consent pursuant to point (a) of Article 6(1) GDPR.
Duration of data retention
Data is erased as soon as it is no longer required to achieve the purpose for which it was collected. Furthermore, the data will be erased if you revoke your consent or request the erasure of your personal data.
Further data privacy information is available via the link
https://thryve.health/privacy-policy/
5.3 Use of the Zammad ticketing system
Description and purpose
To be able to answer your queries as quickly as possible, we use a helpdesk (ticketing) system, which involves the use of your personal data. The helpdesk system makes it possible to sort and structure support requests, and to arrange them according to categories in order to assign them faster to the responsible persons and to always be able to keep an eye on the ticket status. We use the services of Zammad GmbH, Marienstrasse 18, 10117 Berlin to implement the helpdesk sysytem.
Legal basis
The legal basis for the processing of personal data is the legitimate interest pursuant to point (d) of Article 6(1) GDPR in the efficient processing of user enquiries.
Recipient
Recipient is Zammad GmbH, Marienstrasse 18, 10117 Berlin.
Transfer to third countries
Data is not transferred to third countries.
Duration of data retention
Data is erased as soon as it is no longer required to achieve the purpose for which it was collected. Furthermore, the data will be erased if you revoke your consent or request the erasure of your personal data.
Right to object
You have the right to object at any time to the processing of your personal data. The right to object does not affect the validity of past data processing operations.
Contractual or legal obligation
There is no contractual or legal obligation for the provision of the data.
Further data privacy information is available via the link
More information on data processing and data privacy by Zammad can be found here: https://zammad.com/en/company/privacy
5.4 Push notifications via Google Cloud Messaging (Firebase) and Apple
If you want to receive push notifications even when you are not in our app, you must provide your consent. We ask for this when you first install (Android) or use (iOS) the app. All notifications or access options can be subsequently switched on or off in the settings menu.
For push notifications we use the services Firebase Cloud Messaging by Google (Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland) and Apple Push Notifications (Apple Inc. One Apple Park Way, Cupertino, California, USA, 95014).
In doing so, Firebase and Apple generate a calculated key (pseudonymised device token ID), which is made up of the app ID and device ID. This key is stored on our push platform with your selected settings to provide you with content tailored to your requirements. The Firebase or Apple servers cannot draw any conclusions about users’ queries or determine any other data related to an individual. Firebase and Apple serve solely as intermediaries.
Legal basis
Data processing is based on our legitimate interests (point (f) of Article 6(1) GDPR) in the optimised provision of our services. In addition, you give your consent to Apple and Google locally on your device pursuant to point (a) of Article 6(1) GDPR.
Duration of data retention
Data is erased as soon as it is no longer required to achieve the purpose for which it was collected. Furthermore, the data will be erased if you revoke your consent or request the erasure of your personal data.
Further data privacy information is available via the link
Further information on Google Firebase and privacy can be found here: https://www.google.com/policies/privacy/
Further information about Apple and privacy can be found here: https://www.apple.com/privacy/
5.5 Use of Revenue Cat for Self-Payers
Description and purpose
To process purchases, manage purchases and enable user-friendly and straightforward payment processing in the App, we use the RevenueCat service provided by RevenueCat Inc, 1032 E Brandon Blvd #3003 Brandon, FL 33511, USA. To provide these functions, personal data is transmitted to RevenueCat. The IP address and a randomly generated user ID are transmitted to the service. In order to confirm the successful completion of the transactions, RevenueCat receives feedback as to whether the purchase was completed or cancelled and passes this information on to the app. The region of the user account of the smartphone can also be transmitted. In order to optimise the payment processing during the purchase, RevenueCat already loads the existing purchase options of the users before the payment is completed.
Legal basis
The legal basis for the processing of your personal data is your consent according to point (a) of Article 6(1) GDPR.
Receiver
The recipient is RevenueCat Inc. with the address 1032 E Brandon Blvd #3003 Brandon, FL 33511, USA.
Transfer to third countries
The personal data will be transferred to the United States. The transfer is subject to appropriate safeguards pursuant to Art. 46 GDPR. We have concluded standard contractual clauses with the data importer for this purpose. In addition, we are aware of our responsibility and, where necessary, take further measures to protect the rights and freedoms of natural persons to ensure the protection of personal data.
Duration of data storage
Data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. Furthermore, the data will be deleted if you revoke your consent or request the deletion of the personal data.
Revocation
You have the right to revoke your consent at any time, cf. Art. 7 (3) p. 1 GDPR. This can be done informally and without giving reasons and is effective for the future. The revocation of consent does not affect the lawfulness of the processing carried out until the revocation. Further information on this can be found above in our privacy policy under "Rights of data subjects". Contractual or legal obligation There is no contractual or legal obligation to provide the data.
Further data protection information via link
https://www.revenuecat.com/privacy/ https://www.revenuecat.com/dpa/
5.6 Disclosure for scientific purposes
We pseudonymise or anonymise your personal data in accordance with appropriate technical and organisational measures pursuant to point (a) of Article 32(1) GDPR so that no conclusions can be drawn about your person. Disclosure for scientific purposes refers mainly (but not exclusively) to the following data:
- Relevant medical measurements for the indications supported, e.g. weight, blood pressure, blood sugar levels, HbA1c, sleep records, well-being
- Details on illnesses/health problems, e.g. high blood pressure or type 2 diabetes
- Activity data such as number of steps and active minutes per day
- Medication
This anonymised or pseudonymised data is passed on to research institutes, universities and partner companies. The legal basis for this is based on point (f) of Article 6(1) GDPR as Pathmate has a legitimate interest in the improvement & evaluation of data-based results.
5.7 Linking with other companies and data sharing
If you have received an access code for the app from a company (e.g. your health insurance company) that enables you to use the app, it may be that we transfer further personal data to the company (for example, so that a validity check of an existing insurance contract or the billing of the programme costs can be carried out via the insurance company). The disclosure may also relate to the pseudonymized or anonymized health data described in Section 5.5. For this purpose, you will be informed accordingly in advance and we will obtain your consent on the basis of Art. 9 Para. 2 lit. a) GDPR.
6 Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller.
You can exercise your data protection rights at any time and obtain information about your data stored and processed by us, correct or supplement your data, object to the processing of your data or request the deletion of your personal data. You will find the contact options at the beginning of this document. You can only assert your data protection rights (information, correction, addition, objection) by specifying an individual numerical code and/or request the deletion of your data directly within the app.
6.1 Right to information
You have the right to request confirmation from the controller as to whether we are processing personal data relating to you. If your personal data is being processed, you can request the following information from the controller:
- the purposes for which personal data is being processed;
- the categories of personal data that are being processed;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed;
- the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making including profiling referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on whether your personal data is transferred to a third country or an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
6.2 Right to rectification
You have a right to correction and/or completion vis-à-vis the controller if the processed personal data relating to you is incorrect or incomplete. The controller must make the correction without undue delay.
6.3 Right to restriction of processing
You have the right to obtain from the controller restriction of processing where one of the following applies:
- you contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- the controller no longer needs the personal data for the purposes of the processing, but you still require the data for the establishment, exercise or defence of legal claims.
- you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction of processing is lifted.
6.4 Right to erasure
You have the right to obtain from the controller the erasure of your personal data without undue delay and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:
- your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you withdraw your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
- your personal data has been unlawfully processed;
- your personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- your personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Where the controller has made your personal data public and is obliged pursuant to Article 17(1) GDPR to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, this personal data.
The right to erasure shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.
6.5 Right to notification
If you have asserted your right to rectify or erase personal data or to restrict the processing of your data, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if requested to do so.
6.6 Right to data portability
You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This right referred shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6.7 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, your may exercise your right to object by automated means using technical specifications.
6.8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the revocation.
6.9 Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that concern you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and a controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
- However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
- In the cases referred to in points (a) and (c), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
6.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
7 User surveys for product optimisation
We want to ensure maximum customer satisfaction on use of our digital solutions. As developers, we depend on receiving direct feedback from our users. This usually includes information about suggestions for improvement, bugs or malfunctions and other functions. As a rule, information is mainly collected about the product, but this information is linked to your user data, which necessitates the processing of your personal data.
Our legal basis for contacting you to participate in a feedback interview or to complete a feedback form is point (f) of Article 6(1) GDPR. Data is erased as soon as it is no longer required to achieve the purpose for which it was collected. The data will also be deleted if you request the deletion of the personal data (information from the surveys).
8 Integration of other services and third-party content
Our app and any associated communication (e.g. emails) can contain links to third-party websites. We do not have any influence on the information and services on third-party websites. Nor do we have any influence on how third parties handle the data collected on their websites. We are therefore not responsible for complying with data privacy and other applicable laws with regard to third-party links in the app or any associated communication. If you have any questions on this matter, please contact the third-party providers directly.
9 Retention periods for personal data
Personal data is stored for the duration of the respective statutory retention period. After expiry of this period, the data is routinely deleted unless it is necessary for the initiation or fulfilment of a contract.
10 Security
We have taken extensive technical and operational precautions to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security procedures are reviewed regularly and adapted to technological progress. Our company also ensures a consistent level of data protection through constant auditing and optimisation of the data protection organisation.
Pathmate reserves the right to change or update this privacy policy at any time. This privacy policy was created on 01.10.2023 by Keyed GmbH.