Below we provide you with an overview of what data we collect for what purpose and how we ensure the protection of the data when using our mobile app. Your (health) data are encrypted using state of the art technical standards and may, in general, only be associated with you when providing us with your unique login credentials.
The controller and provider of the mobile app ‘Emilyn’ (“App”) is BreakthroughX Health GmbH, c/o Atlantic Labs, Rosenthaler Str. 13, 10119 Berlin, registered with the commercial register of local court (Amtsgericht) Charlottenburg under HRB 192700 B, represented by the managing directors Bazil Azmil and Stefano Palazzo (“we/us/our”). For any questions about data protection you may contact us via email@example.com.
Data Protection Officer
We have appointed an external Data Protection Officer provided by TechGDPR (https://techgdpr.com). Our Data Protection Officer is Silvan Jongerius, and can be contacted at firstname.lastname@example.org.
Personal Data and Processing Purposes
Personal data are any information relating to an identified or identifiable natural person. Personal data include e.g. name or email address.
We will only collect, use and/or pass on personal data if this is permitted by law or if you give your consent. Applicable legal provisions are, in particular, those of the regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, repealing the directive 95/46/EC, on the protection of individuals with regard to the processing of personal data, on the free movement of such data (“General Data Protection Regulation”, GDPR) as well as in the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the German Telemedia Act (Telemediengesetz, TMG).
Your data will be used for the following purposes:
- to provide you with the functionality of the App,
- to answer any requests you send to us,
- to analyze your use of our App and improve our App with our legitimate interests of quality assurance and marketing,
- when health data are processed to use the App and to analyze those data for improving our product and research purposes with your explicit consent, or
You provide data if this is necessary for the aforementioned purposes. In the event you refrain from providing such data you may face disadvantages, for example, limited or no possibility of using our App.
In general we do not process any data via “profiling” or in form of automated decision making via the App.
Download and Use of the App
When using the App, we collect the personal data described below to enable convenient use of the functions. If you want to use our App, we collect the following data, which is technically necessary for us to offer you the functions of our App and to guarantee stability and security (legal basis is Art. 6 (1) f. GDPR): IP address, unique device ID, location, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transmitted in each case, app usage data, operating system and its interface language.
In order to not associate this data with your identity (including your email address), we create a random, unique identifier that is stored on your device and which we can not associate with your account. Some of this data (including your IP address and location) will be permanently deleted after 7 days.
Furthermore we need your email address in order to create and manage your account, to process your enquiries and, if necessary, to be able to contact you. The legal basis for our processing of data is Art. 6 (1) b. GDPR on the basis of the existing contract with us.
You have the right to change the email address within your account at any time.
Health Data and Further Use of the App
For using more functions of the App you are asked to provide us with certain data. Such data will only be sent and provided to us after you clicked the respective submit button within the App. You are able to voluntarily upload files and enter medical information. These (health) data may include the following: gender, date of birth, health information/reports/diagnosis/conditions
You may delete and change entered data any time within your App account.
If the data processed for providing the App services are considered personal data, such data processing is based on Art. 6 (1) b. or f. GDPR for the purpose of providing our service and analyzing those data based on our legitimate interests of improving our product and research purposes. If and as applicable, the processing of health data is based on your explicit consent for the purpose of using the App and analyzing those data for improving our product and research purposes on the legal basis of Art. 9 (2) a. GDPR.
If the processing of your health data is based on your consent, you have the right to withdraw your consent relating to the use of such health data any time with effect for the future. For such withdrawal please send us an email to email@example.com or delete your entire data/account via the respective button in the App.
Analysis of Data
Contacting us; Sending Messages
When contacting us via the App/email, your details are stored for the purpose of processing the enquiry and, if applicable, follow-up questions based on your consent based on the legal basis of Art. 6 (1) a. GDPR or fulfilling your request based on Art. 6 (1) b. GDPR.
Should we receive any special categories of personal data according to Art. 9 (1) GDPR when we are contacted via App/email, we will delete the data promptly and notify the recipient that the data has been deleted.
We may also contact you via App/email for purposes related to the use of the App or similar services based on Art. 6 (1) b. or f. GDPR, TMG, or German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG) if you did not object to such messages.
Newsletter and marketing
We may use your email address, name, and location (i.e. country) to send you email and notifications about our own products and services based on Art. 6 (1) b. or f. GDPR, TMG, or German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG) if you did not object to such messages.
With your explicit consent, we may use your email address, name, and location (i.e. country) to send you email and notifications about products and services offered by third parties. You are able to revoke this consent at any time.
The Health data you enter into the Emilyn app will be used to personalise the app for you. This includes tailoring the app according to your diagnosis, medications used, symptoms you experience and log, your upcoming doctors appointments and check-ins, as well as data about how you use the app (for example: whether or not you are using certain features). The legal basis for this is your explicit consent according to Art. 6 (1) a. GDPRm, meaning you will be asked to explicitly opt-in to these features. Additionally, your basic profile information (your name, date of birth, and gender) will be used to personalise the app for you in accordance with Art. 6 (1) f. GDPR.
Location and language
We may use your location to show and hide certain content in the app that is not applicable to your location or available in your language.
You have certain rights referring to the use of your personal data, which you may act upon any time without any disadvantages:
- You have the right to withdraw your consent relating to the use of data any time with effect for the future when such data processing is based on your consent.
- You are entitled to access the data stored by us and are also entitled to amend or rectify your data if such data are incorrect.
- You have the right to object to the processing of your personal data, for example if your personal data are processed for direct marketing purposes.
- You are entitled to request the erasure of your data.
- You are entitled to receive information about the stored data (in a structured, current and machine-readable format) at any time and to request the correction or deletion of the data in case of incorrect data storage.
For acting according to your rights as set forth above please contact us via firstname.lastname@example.org. You may also download your data via clicking the respective button in the App’s settings menu.
You also have the right to lodge a complaint with a supervisory authority at your choice (for example for Berlin https://www.datenschutz-berlin.de/kontakt.html). An overview of the European National Data Protection Authorities may be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
Third Party Providers used by us
When using the App your data may be processed by third party providers engaged by us, for example cloud service providers.
We use a hosting service provider (DigitalOcean, LLC.) that is located in the USA. The data we process using DigitalOcean is physically located in Frankfurt, Germany. DigitalOcean complies with data protection standards applicable in the EU. For further information please refer to https://www.digitalocean.com/legal/compliance/.
We use OpenWeatherMap (a service by Openweather Ltd, 4 Queens Road, Wimbledon, London, SW19 8YB, United Kingdom). If you choose to enable this feature, the App will fetch weather data by issuing a request to OpenWeatherMap containing your location as well as a code that identifies the App as the source of the request. For more information, please refer to https://openweather.co.uk/privacy-policy.
For push notifications used by our chat feature, we use Google Firebase. However, the content of your messages or any other health data are never shared with Firebase. For more information about Firebase, please refer to https://firebase.google.com/support/privacy.
We use Braze (a service provided by Braze, Inc. and Braze Germany GmbH) for purposes of personalising the app experience for you, including messaging via email and push notifications. For more information about Braze, please refer to https://www.braze.com/company/legal.
On the emilyn.app website, we use Matomo to measure anonymous website usage for statistical purposes, to improve our site and to recognize and stop any misuse.
For further information (on engaged third party providers) please contact us via email@example.com.
Deletion of Data; Retention Periods
The data are deleted if such data are no longer necessary for the purpose of processing.
Your IP-address and server-logs (as set forth in ‘Download and Use of the App’ above) are stored for seven (7) days for security and technical reasons.
Your profile and account data (as set forth in ‘Health Data and Further Use of the App’ above) are deleted after you deleted such data in your App account or deleted the entire account via the respective button in the App, which is more or less immediately after such deletion according to our deletion routines.
In the case of long-term contractual relationships, such as the use of our App, these storage periods may vary, but are generally limited to the duration of the contractual relationship or, with regard to the inventory data, to the maximum legal retention periods (e.g. in accordance with the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO)). Criteria for the storage period include whether the data are still up-to-date, whether the contractual relationship with us still exists, whether an inquiry has already been processed, whether a process has been completed or not, and whether legal retention periods for the personal data concerned are relevant or not.
Data Security and Encryption
We have implemented sufficient measures to ensure data and IT security. The App is operated through a safe TLS-connection, which is a protocol used to encrypt the connection from your device to our servers.
Your health data is secured using client-side encryption, which prevents anyone (including us) from accessing the data unless you explicitly share it.
For any inquiries and additional questions about processing personal data please contact firstname.lastname@example.org. Our contact details may be found in the imprint under the App’s settings menu.