State: September 2020
2. Responsible authority in terms of data protection laws
The party responsible for data processing in accordance with Art. 4 § 7 EU General Data Protection Regulation (GDPR) is eTherapists GmbH, Oranienstr. 185, 10999 Berlin, Germany.
You can reach our data protection officer at Datenschutz@humanoo.com
The responsible supervisory authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219 Visitor entrance: Puttkamerstr. 16 – 18 (5th floor)
Phone: 030 13889-0
Fax: 030 2155050
3. The data it question:
3.1 General information about the types of data we collect
Data you provide us with
The data we collect includes any data you voluntarily provide to us, such as when you subscribe to our newsletter or contact us over the contact form on the website, email or call us, register or open an account and provide us with personal data.
Data we automatically collect
We may also automatically collect data from you (functional data or cookies), such as when you visit our website or use our app. We may collect data such as the type of device from which you access our website, the operating system and version, your IP address, the type of browser you use, the pages you view on our website or app, and if and how you interact with content on our website or app.
Data we receive from other sources
Data from children
The content of our entire range of services and websites can be used by children and young people. However, participation is only possible with parental consent. Even if young people and children under the age of 18 use our website or app, we do not knowingly or intentionally collect data about them without their parents’ consent. Should we become aware that our services are being used by a minor without parental consent, we will immediately delete all data collected, unless we are legally required to store it.
3.2 What is personal data?
Personal data is all the information that relates to an identified or identifiable person. This includes information with which you can be directly identified, such as your name or picture. In addition, there is data that can indirectly reveal personal information, such as information about your body, restrictions or complaints, as well as information about your leisure activities or information that you provide when you use HUMANOO to improve the services.
Personal data also includes information that is disclosed under a pseudonym, i.e. without mentioning your name.
3.3 What is health data?
Health data is personal details which directly or indirectly gives information on the health of a person. This includes data on physical well-being/complaints and mental/psychological health. Health data is a special type of personal data and subject to a particularly high level of protection.
4. What personal data is collected, processed and used, and to what end?
4.1. General guidelines of use and purpose
You can visit the HUMANOO website without having to register, but HUMANOO services can only be used after registering.
As a general rule, we do not transfer your personal data to third parties. The only exceptions are the service partners and contracting parties involved in handling the contractual relationship and companies that eTherapists GmbH cooperates with.
4.2 Use of our website
If you only use our website for information purposes (without contacting us), we only collect the personal data that your browser transmits to our server. If you want to browse our website, we collect the data that is necessary to display the website and ensure its stability and security.
Collected data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred, website from which the request came, browser, operating system and its interface, language and version of the browser software. Legal basis: Art. 6 § 1 p. 1 lit. f) GDPR.
4.3 Use of the HUMANOO services
Our business model includes a variety of services that help you lead a healthier life. You can either register with us online and open an account, or download the HUMANOO app, which helps you to stay fit and healthy, or buy our fitness equipment and exercise courses. To initiate, fulfill and process the existing contractual relationship, we will collect the personal data necessary for processing the contract or using our services.
Note: We work together with companies, insurers and health insurances who want to offer the HUMANOO app to their employees or members to improve their health. The employees or members are free to register with us. Our business model is based on the most anonymous possible collection of user data. We therefore recommend that you do not enter your real name when registering for the HUMANOO app.
4.4. Registering and setting up a HUMANOO user account
To use HUMANOO services, you have to register with HUMANOO and set up an account. It is possible to set up an account and use our website with a pseudonym, meaning you can pick any name you want. The data that you provide in order to use HUMANOO services is stored on German servers by the service provider commissioned by eTherapists GmbH.
Types of registration
You can decide how you want to register when you set up your account.
We offer the following options for setting up your account:
- Register with a pseudonym
- Register with your email address
- Register with your Google account
- Register with your Apple ID
- Register / login with your Facebook account
Setting up an account with a pseudonym
You can set up an account and use HUMANOO services with a pseudonym. You can register with a username of your choice which does not have to correspond to your actual name.
Setting up an account with an email address
You can set up an account and use HUMANOO services with your email address. You can register with a username of your choice which does not have to correspond to your actual name.
Setting up an account via Google
If you register via Google, your email address and first name will be transferred to us from your Google account. We will only use this data for the purposes of login and registration. In return, Google can use the log-in service to recognise when and how you have logged into HUMANOO. However, we do not pass on any information about your use of the content or services provided to third parties.
Setting up an account via Apple
If you register via Apple, you can decide if your email address linked to your Apple ID or an anonymous relay address is transmitted to us. The anonymous relay address automatically forwards all emails from us to the email address linked to your Apple ID.
You can find more information about registering with Apple here: https://support.apple.com/de-de/HT210318
We do not share how you use HUMANOO content or services with Apple Inc.
For more information on data use by Apple Inc, 1 Infinite Loop, Cupertino, CA 95014, USA. You can find information on data use at https://www.apple.com/legal/privacy/de-ww/.
Registering / logging in via Facebook
If you have already used Facebook to register, your email address and first name will be transferred from your Facebook account to us. We will only use this data for the purposes of login and registration. In return, Facebook can use the log-in service to recognise when and how you have logged into HUMANOO. However, we do not pass on any data about your use of the content or services provided to third parties.
We no longer provide the option of registering via Facebook.
Data collected when registering on our website or purchasing our products:
For registration we usually record: Username, email address (email address not required for anonymous registration), IP address, password.
Your profile information such as weight, exercise and nutritional preferences (only if you provide it voluntarily), IP address, operating system, browser type, browser version, browser configuration, name of the internet service provider and other relevant computer and connection information to identify your device type, to connect to the website, to enable data exchange with your (mobile) device and to ensure proper use of the website. In the context of a product purchase via our webshop: name, address, telephone number, email address, payment information (bank details).
Data collected when using our HUMANOO app:
Username, email address (email address not required for anonymous registration), password and additional profile information and by using the app, such as weight, exercise and nutritional preferences, user behaviour may also include access rights to your smartphone, for example if you want to upload a profile photo and videos or receive push notifications from us. Only you can grant the access rights. Legal basis: Art. 6 § 1 p. 1 lit. a), lit. b) , lit. f) GDPR
Payment information will only be stored if you use services that you have to pay for. The personal data we collect to this end will only be stored as long as it is necessary to execute the contract and any subsequent correspondence relating to the contract or, in the case of documents relevant under commercial and/or tax law that contain personal data, as long as the German Commercial Code and the German Fiscal Code require the storage of these documents. We use the following payment systems and service providers:
4.5 Advice from health experts
As part of HUMANOO’s services, you can contact our health experts and support staff by email. This is optional and requires your explicit consent.
If you choose to have an individual consultation with our health experts, they are able to see the health data you have stored in HUMANOO.
When you use our customer support, the support staff will be able to access your account information to assist you.
We use the following tools for communication with our experts:
4.6 Use of tracking functions and activity data from connected accounts and third parties
You can import activity data from other platforms into the HUMANOO app. You have to explicitly agree that you want to link these platforms to your account to import this data. You can also choose which data you want to import.
You can link the following providers / platforms to your HUMANOO account:
Apple Health App
With an iPhone, you can track activity and health data and import data from different apps into the Apple Health app. You have to explicitly agree to share this data with HUMANOO or allow HUMANOO to export data to Apple Health. You can withdraw your consent at any time.
Google Fit App
With an Android smartphone, you can track activity and health data and import data from different apps into the Google Fit app. You have to explicitly agree to share this data with HUMANOO or allow HUMANOO to export data to Google Fit. You can withdraw your consent at any time.
Thryve Health SDK
Thryve allows you to connect and import activity data from different sources. Among them are the manufacturers Garmin, Fitbit, Polar, Withings, Misfit and others and also your mobile phone sensors and Smartwatch.
After your explicit consent to share your data, which will be processed by your manufacturer or retrieved from your mobile phone or Smartwatch, eTherapists GmbH will receive a key from mHealth Pioneers GmbH to uniquely assign this data to your profile. You can determine the extent of the data shared depending on the manufacturer. Beyond that eTherapists GmbH does NOT receive any other profile information like the email address linked to your account with the manufacturer of your fitness tracker.
4.7 HUMANOO’s preventive healthcare scheme
As part of HUMANOO’s preventive healthcare scheme (https://support.humanoo.com/en/support/solutions/articles/76000032868-humanoo-s-preventative-healthcare-scheme) we process and reimburse certified prevention courses with your health insurance company. We need a separate consent and authorisation to communicate with your health insurance company and process the reimbursement for you. By giving us consent and authorisation you agree to us and your health insurance company exchanging the data necessary for this.
4.8 How to contact us
Name, email address (optional), IP address, data collected via cookies. Legal basis: Art. 6 § 1 p. 1 lit. f) GDPR
4.9 Communicate via email etc.
When you contact us (e.g. contact form, email, telephone, social media), your user details (e.g. your first name, surname, address, telephone number, email address and the content of your message) will be processed in accordance with Art. 6 § 1 lit. b) GDPR to process the request and contact you if you have gotten in touch with us. This includes answering your questions, processing orders and providing you with the information that you have requested.
For our internal communication, we use Gmail from Google Inc, Inc, 600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We have integrated Gmail in compliance with data protection.
To communicate with contractual partners like companies or insurances we use close.io from elastic Inc., 800 West El Camino Real, Suite 350 Mountain View California, 94040 USA. Read their GDPR guidelines here:https://close.io/gdpr/.
To communicate with interested parties and companies, we use Hubspot Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA, Attn: Privacy. Read their GDPR guidelines here: https://legal.hubspot.com/product-privacy-policy.
We delete the requests if they are no longer necessary and check this regularly. Legal archiving obligations apply.
5. How we use your data
We only use your data:
– to provide you with our services,
– to execute contracts with you,
– to answer your questions,
– for our compliance with legal obligations and to design and develop our services in an attractive way that is tailored to your interests,
– to manage awards, surveys, contests, giveaways and other promotional activities or events,
– for any other purposes to which you have agreed in individual cases.
All the data collected in this way has been provided voluntarily by you (e.g. subscribing to our newsletter, profile entries, using our services) or because we need it to establish, elaborate or modify the contractual relationship (inventory data) or because we are legally obliged to collect it or have a legitimate interest in collecting it (e.g. for marketing purposes: to analyse and improve our services and the content on our website and in our app or to avert dangers).
Note on the right to object: if we process your personal data on the basis of our legitimate interest and there is no option to opt out (e.g. due to a default setting) you can exercise your right to object at any time by emailing us at firstname.lastname@example.org. Find out more in the section “Your Rights”.
6. How we pass on your data to third parties
We will never sell your data to third parties.
We only pass on personal data to third parties if this is necessary to execute the contract (e.g. to the bank handling payments) and if we are legally obliged to do so.
The basis for data processing is Art. 6 § 1 lit. b) GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures, Art. 6 lit. c) GDPR.
Our app is offered as Software as a Service. For this purpose, we use the cloud computing service, Amazon Web Services EMEA SARL (Branch Office Germany Marcel-Breuer-Str. 12, 80807 Munich) with servers in Germany.
We will disclose your personal data to law enforcement agencies, investigating authorities or in legal proceedings if we are required to do so by law or if it is necessary to perform the services or to protect our or users’ rights.
Sale or merger
We may disclose your personal data in the event of a merger, acquisition or sale of all or any part of our assets. We will, of course, notify you by email and/or put a clear notice on our website and inform you of your rights.
Sharing and disclosure of aggregated data
We share data in aggregated form and/or in a form that does not allow the recipient to identify you from that data – for example, with third parties for industry analysis or contractors.
7. How we protect the data we collect
Protecting your personal data is very important to us. Although we take reasonable precautions to protect the personal data we collect, we would like to point out that no security system is infallible.
We use a number of technical and organisational measures and industry standards to protect your personal data from loss, theft, misuse, unauthorised access and disclosure, alteration and destruction. The personal data we collect is stored on computer systems with restricted access. In addition, we require third parties we hire to maintain appropriate security measures for the data we pass on. When you visit our website or send us data through the website, your data is protected by encryption technologies such as transport layer security (https encryption).
8. How long we keep your data
9. Your rights
You have the following rights in terms of the use of your personal data:
Right of access by the data subject in accordance with Art. 15 GDPR
You can ask us to send you a copy of the personal data that we have collected.
Right to rectification and erasure in accordance with Art. 16, 17 GDPR
You can notify us if your personal data has changed or if you want us to change the personal data we collect.
In certain cases, you can ask us to delete the personal data we collect.
Right to restriction of processing in accordance with Art. 18 GDPR
In certain cases, you have the right to restrict the processing of your data.
Right to revoke consent and to object in accordance with Art. 7 § 3, Art. 21 GDPR
If you have consented to having your data processed, you can withdraw your consent for future data processing at any time. Withdrawing your consent has an effect on the permissibility of processing your personal data.
If we base the processing of your personal data on a weighing of interests, you can object to the processing. This is the case if the processing of the data is not necessary for the fulfilment of your contract. In the event of such an objection, we ask you to explain the reasons why we should not process your personal data in the way that we have done. If your objection is justified, we will examine the situation and either stop or adapt the data processing or explain our reasons for continuing to process your data.
Right of appeal in accordance with Art. 77 GDPR
We will always try to find a solution should you have a problem with the way we use your data. If you feel we were unable to help you resolve the issue, you also have the right to complain to a data protection supervisory authority about our processing of your personal data.
We rely on you to ensure that your personal data is complete, accurate and up to date. Please inform us immediately of any changes or inaccuracies in your personal data by sending an email to email@example.com.
10. Data protection for applications and in the application procedure
When you use our website, cookies are stored on your computer in addition to the above-mentioned data to make our website more attractive. Cookies are small text files that are stored on your hard drive and assigned to the browser you are using. This means that certain data is transmitted to the location that sets the cookie – in this case to us. Cookies cannot execute programmes or transfer viruses to your computer. We can set the following types of cookies:
Transient cookies are automatically deleted when you close your browser. This includes session cookies. They store a session ID, which can be used to assign various requests from your browser to the shared session. This enables your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close your browser.
Persistent cookies are automatically deleted after a certain period of time, which you can set yourself. You can delete cookies in your browser security settings at any time.
When personal data is collected or stored by the cookies, the processing is carried out in accordance with Art. 6 lit. b) GDPR for the fulfilment of a contract or for the implementation of pre-contractual measures, which are carried out at the request of the person concerned, or in accordance with Art. 6 lit. f) in pursuit of our legitimate interests for the maintenance of the functionality of our website, as well as its user-friendly and effective design.
You can set your browser to inform you about cookies being used, and you can choose if you want to accept them and in what cases you want them to be used. Every browser decides on how cookies will be implemented. In your browser’s help menu, you will find information on how to change your cookie settings.
Direct marketing (Newsletter)
You can subscribe to our newsletter by giving your consent, which allows us to inform you about our latest offers. The advertised goods and services appear in the declaration of consent.
We use a double opt-in procedure to register you for our newsletter. This means that after you register, we send you an email to confirm you want to receive the newsletter. If you do not confirm your registration within 24 hours, your data will be blocked and automatically deleted after one month. In addition, we save the IP addresses you use and the dates of registration and confirmation. The purpose of the procedure is to prove your registration and, if necessary, clarify any possible misuse of your personal data.
Your email address is the only data we require for the newsletter. Additional separately marked data is voluntary and used to address you personally. After your confirmation, we save your email address to send you the newsletter. The legal basis for this is Art. 6 § 1 p. 1 lit. a) GDPR.
You can withdraw your consent and unsubscribe at any time by clicking on the link in the newsletter, by emailing firstname.lastname@example.org or by sending a message to the address in the imprint.
We would like to point out that we evaluate your user behaviour when we send out our newsletter.
You can object to this tracking at any time by clicking on the link provided in each email or by contacting us. The data is stored for as long as you remain subscribed to the newsletter. When you unsubscribe, we only store the data statistically and anonymously.
Our newsletters are sent by “MailChimp”, an email marketing service of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The email marketing service can use the recipient’s data in pseudonymous form, i.e. without allocation to a user, to optimise or improve its own services, for example to optimise the sending processes and the presentation of the newsletter or for statistical purposes. However, the email marketing service does not use the data of our newsletter recipients to email them or to pass the data on to third parties.
Use of Google Analytics
Google will use this data on our behalf to evaluate the use of our website by users, to compile reports on activities on this website and to provide us with other services associated with the use of the website and the internet. Anonymous user profiles can be created from the processed data.
We use Google Analytics exclusively with the extension “anonymizeIp()”, which ensures an anonymisation of the IP address by shortening and excluding a direct personal reference. This means that the IP address of the user is shortened by Google within member states of the European Union or states in the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. In these cases, the processing, in accordance with Art. 6 f) GDPR, is carried out in the exercise of our legitimate interests for marketing purposes and to maintain the attractiveness of our offer. The IP address transmitted by the user’s browser is not merged with other Google data.
You, the user, can prevent the storage of cookies by using the appropriate settings in your browser software. You also have the option of preventing Google from collecting the data generated by cookies and related to your use of the online service, and to prevent Google from processing this data by downloading and installing the browser plugin, available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
If you do not wish Google Analytics to analyse your website usage anonymously, you can object here at any time with effect for the future. When you click on the link, an opt-out cookie is stored on your end device. When you visit our website again, this cookie prevents your data from being collected again. To prevent Universal Analytics from collecting your data across multiple devices, you have to opt-out of all systems in use.
Use by Google AdWords Conversion Tracking
We use the online application programme Google AdWords and in the context of Google AdWords conversion tracking on our website. Google Conversion Tracking is an analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). When you click on an ad placed by Google, a conversion tracking cookie is placed on your computer. These cookies lose their validity after 30 days, do not contain any personal data and are therefore not used for personal identification.
If you visit certain pages on our website and the cookie has not expired, Google and we may recognise that you clicked on the ad and were directed to that page. Each Google AdWords customer receives a different cookie. As a result, there is no way that cookies can be tracked through the AdWords customer’s website.
The data collected from the conversion cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. This tells customers the total number of users who clicked on their ad and were directed to a page tagged with a conversion tracking tag. However, they will not receive any data that personally identifies users.
If you do not wish to participate in tracking, you can object to this use by preventing the installation of cookies, by making the appropriate settings in your browser software (deactivation option), which will then exclude you from the conversion tracking statistics.
Google Adsense with personalised ads
We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in accordance with Art. 6 § 1 lit. f. GDPR).
We use the AdSense service, which displays ads on our website and pays us for displaying or otherwise using them. For these purposes, usage data such as clicks on an advertisement and the IP address of the user are processed, whereby the IP address is shortened by the last two digits. Therefore, the processing of user data is pseudonymised.
We use Adsense with personalised ads. Google receives information about the interests of users based on the websites or apps they visit and the user profiles they create. Advertisers use this data to tailor their campaigns to these interests, which is beneficial to both users and advertisers. For Google, ads are personalised when data that is collected or known determines or influences the selection of ads. This includes, but is not limited to, past searches, activities, website visits, app usage, demographics, and location data. Specifically, this includes demographic targeting, targeting interest categories, remarketing and targeting customer match lists and target audience lists, uploaded to DoubleClick Bid Manager or Campaign Manager.
Stability and reliability – use of crashlytics
To improve the stability and reliability of our apps, we rely on anonymous crash reports. We use “Firebase Crashlytics”, a service of Google Ireland Ltd, a service of Google Ireland Ltd, Google Building Gordon House, Barrow Street, Dublin 4, Ireland.
In case of a crash, anonymous data is transferred to Google’s servers in the USA (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system n of the mobile phone, last log messages). This does not contain any personal data.
12. Involvement of social networks/ “Social Plugins” on the HUMANOO website
We use Social Plugins (“Plugins”) from different social networks on our website (not in the HUMANOO app). With the help of these plugins, you can, for example, share content or recommend products. The plugins are usually deactivated, and therefore do not send any data. You can reactivate the plugins with one click, should you want to.
If these plugins are activated, your browser establishes a direct connection with the respective social network’s servers as soon as you visit a page of our website. The content of the plugin is transmitted directly from the social network to your browser, which then integrates it into the website.
By integrating the plugins, the social network receives the data that you visited that page of our website. If you are logged in to the social network, it can connect the visit to your account. If you interact with the plugins, for example by clicking on the Facebook “Like” button or by submitting a comment, the corresponding data is transmitted directly from your browser to the social network and stored there.
The purpose and scope of this data collection, further processing and use of the data by social networks, your rights in this respect and settings options to protect your privacy can be found in the privacy policies of the respective networks or websites. You can find the relevant links below.
Even if you are not registered with the social networks, websites with active social plugins can send data to the networks. An active plugin sets a cookie with an identifier each time the website is accessed. Since your browser sends this cookie every time you connect to a network server without being asked, the network could in principle use it to create a profile, consisting of which web pages the user belonging to the identifier has visited. And it would then also be possible to assign this identifier to a person again later – for example when logging on to the social network later.
If you don’t want social networks to collect data about you via active plugins, you can select the “Block third-party cookies” function in your browser settings. Then the browser will not send cookies to the server for embedded content from other providers. With this setting, other functions may no longer work either though.
We use the following plugins on our website:
13. Changes to the Data Protection Policy