Below we provide you with an overview of what data we collect for what purpose and how we ensure the protection of the data when using our mobile app. Your (health) data are encrypted using state of the art technical standards and may, in general, only be associated with you when providing us with your unique login credentials.

Controller

The controller and provider of the mobile app ‘Emilyn’ (“App”) is BreakthroughX Health GmbH, c/o Atlantic Labs, Rosenthaler Str. 13, 10119 Berlin, registered with the commercial register of local court (Amtsgericht) Charlottenburg under HRB 192700 B, represented by the managing directors Bazil Azmil and Stefano Palazzo (“we/us/our”). For any questions about data protection you may contact us via privacy@breakthrough.health.

Data Protection Officer

We have appointed an external Data Protection Officer provided by TechGDPR (https://techgdpr.com). Our Data Protection Officer is Silvan Jongerius, and can be contacted at privacy@breakthrough.health.

Personal Data and Processing Purposes

Personal data are any information relating to an identified or identifiable natural person. Personal data include e.g. name or email address.

We will only collect, use and/or pass on personal data if this is permitted by law or if you give your consent. Applicable legal provisions are, in particular, those of the regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, repealing the directive 95/46/EC, on the protection of individuals with regard to the processing of personal data, on the free movement of such data (“General Data Protection Regulation”, GDPR) as well as in the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the German Telemedia Act (Telemediengesetz, TMG).

Your data will be used for the following purposes:

• to provide you with the functionality of the App,
• to answer any requests you send to us,
• to implement this privacy policy and carrying out the contractual relationship with you,
• to analyze your use of our App and improve our App with our legitimate interests of quality assurance and marketing,
• when health data are processed to use the App and to analyze those data for improving our product and research purposes with your explicit consent, or
• as otherwise explained in this privacy policy or by any communication by us.

You provide data if this is necessary for the aforementioned purposes. In the event you refrain from providing such data you may face disadvantages, for example, limited or no possibility of using our App.

In general we do not process any data via “profiling” or in form of automated decision making via the App.

Download and Use of the App

When using the App, we collect the personal data described below to enable convenient use of the functions. If you want to use our App, we collect the following data, which is technically necessary for us to offer you the functions of our App and to guarantee stability and security (legal basis is Art. 6 (1) f. GDPR): IP address, unique device ID, location, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transmitted in each case, app usage data, operating system and its interface language.

In order to not associate this data with your identity (including your email address), we create a random, unique identifier that is stored on your device and which we can not associate with your account. Some of this data (including your IP address and location) will be permanently deleted after 7 days.

Furthermore we need your email address in order to create and manage your account, to process your enquiries and, if necessary, to be able to contact you. The legal basis for our processing of data is Art. 6 (1) b. GDPR on the basis of the existing contract with us.

You have the right to change the email address within your account at any time.

Health Data and Further Use of the App

For using more functions of the App you are asked to provide us with certain data. Such data will only be sent and provided to us after you clicked the respective submit button within the App. You are able to voluntarily upload files and enter medical information. These (health) data may include the following: gender, date of birth, health information/reports/diagnosis/conditions

You may delete and change entered data any time within your App account.

If the data processed for providing the App services are considered personal data, such data processing is based on Art. 6 (1) b. or f. GDPR for the purpose of providing our service and analyzing those data based on our legitimate interests of improving our product and research purposes. If and as applicable, the processing of health data is based on your explicit consent for the purpose of using the App and analyzing those data for improving our product and research purposes on the legal basis of Art. 9 (2) a. GDPR.

If the processing of your health data is based on your consent, you have the right to withdraw your consent relating to the use of such health data any time with effect for the future. For such withdrawal please send us an email to privacy@breakthrough.health or delete your entire data/account via the respective button in the App.

Analysis of Data

We also use the information collected, including your personal data, in order to improve and analyze your use of our App based on Art. 6 (1) b. and f. GDPR or TMG and to ensure the technical functionality of our services fulfillment of contractual or pre-contractual obligations (based on Art. 6 (1) b. GDPR or TMG and as otherwise explained in this privacy policy). Regarding the data processing based on Art. 6 (1) f. GDPR we wish to achieve the legitimate interests of quality assurance and marketing.

Contacting us; Sending Messages

When contacting us via the App/email, your details are stored for the purpose of processing the enquiry and, if applicable, follow-up questions based on your consent based on the legal basis of Art. 6 (1) a. GDPR or fulfilling your request based on Art. 6 (1) b. GDPR.

Should we receive any special categories of personal data according to Art. 9 (1) GDPR when we are contacted via App/email, we will delete the data promptly and notify the recipient that the data has been deleted.

We may also contact you via App/email for purposes related to the use of the App or similar services based on Art. 6 (1) b. or f. GDPR, TMG, or German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG) if you did not object to such messages.

Newsletter and marketing

We may use your email address, name, and location (i.e. country) to send you email and notifications about our own products and services based on Art. 6 (1) b. or f. GDPR, TMG, or German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG) if you did not object to such messages.

With your explicit consent, we may use your email address, name, and location (i.e. country) to send you email and notifications about products and services offered by third parties. You are able to revoke this consent at any time.

Personalisation

The Health data you enter into the Emilyn app will be used to personalise the app for you. This includes tailoring the app according to your diagnosis, medications used, symptoms you experience and log, your upcoming doctors appointments and check-ins, as well as data about how you use the app (for example: whether or not you are using certain features). The legal basis for this is your explicit consent according to Art. 6 (1) a. GDPRm, meaning you will be asked to explicitly opt-in to these features. Additionally, your basic profile information (your name, date of birth, and gender) will be used to personalise the app for you in accordance with Art. 6 (1) f. GDPR.

Location and language

We may use your location to show and hide certain content in the app that is not applicable to your location or available in your language.

Your Rights

You have certain rights referring to the use of your personal data, which you may act upon any time without any disadvantages:

• You have the right to withdraw your consent relating to the use of data any time with effect for the future when such data processing is based on your consent.
• You are entitled to access the data stored by us and are also entitled to amend or rectify your data if such data are incorrect.
• You have the right to object to the processing of your personal data, for example if your personal data are processed for direct marketing purposes.
• You are entitled to request the erasure of your data.
• You are entitled to receive information about the stored data (in a structured, current and machine-readable format) at any time and to request the correction or deletion of the data in case of incorrect data storage.

For acting according to your rights as set forth above please contact us via privacy@breakthrough.health. You may also download your data via clicking the respective button in the App’s settings menu.

You also have the right to lodge a complaint with a supervisory authority at your choice (for example for Berlin https://www.datenschutz-berlin.de/kontakt.html). An overview of the European National Data Protection Authorities may be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

Third Party Providers used by us

When using the App your data may be processed by third party providers engaged by us, for example cloud service providers.

We use a hosting service provider (DigitalOcean, LLC.) that is located in the USA. The data we process using DigitalOcean is physically located in Frankfurt, Germany. DigitalOcean complies with data protection standards applicable in the EU. For further information please refer to https://www.digitalocean.com/legal/compliance/.

If you choose to use Sign-in with Google, Google will share your profile information (email address, name, profile picture, locale) with us. Please refer to Google's Privacy Policy for details.

We use OpenWeatherMap (a service by Openweather Ltd, 4 Queens Road, Wimbledon, London, SW19 8YB, United Kingdom). If you choose to enable this feature, the App will fetch weather data by issuing a request to OpenWeatherMap containing your location as well as a code that identifies the App as the source of the request. For more information, please refer to https://openweather.co.uk/privacy-policy.

We use the app performance and analysis technology “adjust”, a service provided by adjust GmbH ("Adjust"). For more information about their product and privacy policy, please visit: https://www.adjust.com/privacy-policy/. When you launch the Emilyn app, adjust processes install and event data in order to help us understand how our users are interacting with our apps and to optimize and analyze our mobile ad campaigns. For such analysis, adjust uses your mobile identifier like IDFA or Google Play Services ID, and your pseudononymized (hashed) IP- and possibly MAC address. The hashes used are one-way hashes and it is not possible to identify you or your mobile device individually.

For push notifications used by our chat feature, we use Google Firebase. However, the content of your messages or any other health data are never shared with Firebase. For more information about Firebase, please refer to https://firebase.google.com/support/privacy.

We use Braze (a service provided by Braze, Inc. and Braze Germany GmbH) for purposes of personalising the app experience for you, including messaging via email and push notifications. For more information about Braze, please refer to https://www.braze.com/company/legal.

On the emilyn.app website, we use Matomo to measure anonymous website usage for statistical purposes, to improve our site and to recognize and stop any misuse.

For further information (on engaged third party providers) please contact us via privacy@breakthrough.health.

Deletion of Data; Retention Periods

The data are deleted if such data are no longer necessary for the purpose of processing.

Your IP-address and server-logs (as set forth in ‘Download and Use of the App’ above) are stored for seven (7) days for security and technical reasons.

Your profile and account data (as set forth in ‘Health Data and Further Use of the App’ above) are deleted after you deleted such data in your App account or deleted the entire account via the respective button in the App, which is more or less immediately after such deletion according to our deletion routines.

In the case of long-term contractual relationships, such as the use of our App, these storage periods may vary, but are generally limited to the duration of the contractual relationship or, with regard to the inventory data, to the maximum legal retention periods (e.g. in accordance with the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO)). Criteria for the storage period include whether the data are still up-to-date, whether the contractual relationship with us still exists, whether an inquiry has already been processed, whether a process has been completed or not, and whether legal retention periods for the personal data concerned are relevant or not.

Data Security and Encryption

We have implemented sufficient measures to ensure data and IT security. The App is operated through a safe TLS-connection, which is a protocol used to encrypt the connection from your device to our servers.

Your health data is secured using client-side encryption, which prevents anyone (including us) from accessing the data unless you explicitly share it.

Access and Changes to this Privacy Policy

This privacy policy is accessible via the App’s settings menu.

We reserve the right to change the regulations of this privacy policy at any time, taking into account applicable laws and data protection provisions.

Contact Details

For any inquiries and additional questions about processing personal data please contact privacy@breakthrough.health. Our contact details may be found in the imprint under the App’s settings menu.