Privacy Policy for users of the HUMANOO app


With this privacy policy, we inform you as a user of our HUMANOO app about how we handle your personal data and about your rights under the European General Data Protection Regulation (GDPR) and the  Bundesdatenschutzgesetz (BDSG). Responsible for the data processing is eTherapists GmbH (subsequently referred to as “we” or “us”).

[04.08.2023]

I. General Information

1. Contact

If you have any questions or suggestions regarding this information or if you would like to exercise your rights, please contact us at:

eTherapists GmbH
Invalidenstraße 117, 10115 Berlin, Germany
Email: dataprivacy.support@humanoo.com

2. Legal basis

The term “personal data” in data protection law refers to any information relating to an identified or identifiable natural person. We process personal data in compliance with the applicable data protection regulations, in particular the GDPR and the BDSG. We only process personal data on the basis of a legal permission. We process personal data only with your consent (§ 25 para. 1 TTDSG or Art. 6 para. 1 letter a GDPR), for the performance of a contract to which you are a party or for the performance of pre-contractual measures at your request (Art. 6 para. 1 letter b GDPR), to comply with a legal obligation (Art. 6 para. 1 letter c GDPR), or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data override (Art. 6 para. 1 letter f GDPR).

3. Duration of storage

Unless otherwise stated in the following information, we will only store data for as long as is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law regulations. We will retain personal data that is contained in our accounting data for ten years from the end of the calendar year in which the data was collected, and personal data contained in commercial correspondence and contracts for six years. In other cases, we will keep data related to consent obligations and claims for the duration of the legal limitation periods. Data that we process on the basis of your consent will be deleted if you object to the processing for this purpose.

4. Categories of data recipients

As part of the processing of your data, we use processors. Processing operations carried out by such processors include, for example, hosting, email delivery, maintenance and support of IT systems, customer and order management, order processing, accounting and invoicing, marketing measures, or document and data destruction. A processor is a natural or legal person, authority, agency or other body that processes personal data on behalf of the controller. Processors do not use the data for their own purposes, but carry out the data processing exclusively for us as the controller and are contractually obliged to ensure appropriate technical and organizational measures for data protection. In addition, we may transmit your personal data to entities such as postal and delivery services, banks, tax consulting/auditing companies or tax authorities. Further recipients may result from the following information.

5. Data transfer to third countries

Our data processing may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable. Such a transfer is permissible if the European Commission has determined that an adequate level of data protection is provided in such a third country. If such an adequacy decision by the European Commission is not available, a transfer of personal data to a third country only takes place if suitable safeguards are provided in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met. An adequacy decision applies to the following countries: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. For data transfers to the U.S., the adequacy decision applies to companies certified under the Privacy Framework and listed on this list (https://www.dataprivacyframework.gov/s/participant-search).

Unless otherwise stated below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data to third countries. You have the option to receive or view these EU standard contractual clauses in copy. Please contact the address provided under contact.

If you consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Art. 49 para. 1 letter a GDPR.

6. Processing when exercising your rights

When you exercise your rights under Art. 15 to 22 GDPR, we process the personal data transmitted to us for the purpose of implementing these rights and to be able to provide proof thereof. Data stored for the purpose of providing information and its preparation will only be processed for this purpose and for the purposes of data protection control, and in all other cases, processing will be restricted in accordance with Art. 18 GDPR.

These processing activities are based on the legal basis of Art. 6 para. 1 letter c GDPR i.V.m. Art. 15 bis 22 GDPR and § 34 para. 2 BDSG.

7. Your Rights

As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:

  • You have the right, in accordance with Art. 15 GDPR and § 34 BDSG, to request information as to whether and to what extent we process personal data concerning you or not. You can exercise your right to information within the app under “Account”, “Manage Account”, “Request Data”.
  • You have the right, in accordance with Art. 16 GDPR, to request us to correct your data.
  • You have the right, in accordance with Art. 17 GDPR and§ 35 BDSG, to request us to delete your personal data. You can exercise your right to deletion within the app under “Account”, “Manage Account”, “Delete Account”.
  • You have the right, in accordance with Art. 18 GDPR, to restrict the processing of your personal data.
  • You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to another controller.
  • If you have given us separate consent for data processing, you can revoke this consent at any time in accordance with Art. 7 para. 3 GDPR. Such a revocation shall not affect the lawfulness of processing carried out on the basis of the consent before its revocation.
  • If you believe that the processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

8. Right to object

According to Art. 21 para. 1 GDPR, you have the right to object to processing based on Art. 6 para. 1 letter e or f GDPR, for reasons arising from your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 para. 2 and para. 3 GDPR.

9. Data Protection Officer

You can reach our Data Protection Officer at the following contact details:

Email : datenschutz@humanoo.com

Herting Oberbeck Datenschutz GmbH

Hallerstr. 76, 20146 Hamburg

www.datenschutzkanzlei.de

II. Data processing when using HUMANOO

II. Data processing when using HUMANOO

Personal data are all information relating to an identified or identifiable person. This includes information that can directly identify you, such as your name or photo. In addition, there is information that can indirectly reveal information about you, such as information about your body, impairments or complaints, as well as information about your leisure activities or data that you provide during use to improve quality. Pseudonymous information, i.e. information disclosed without mentioning your name, also falls under personal data. In data protection law, the IP address is generally considered to be personal data. An IP address is assigned by the Internet provider to any device connected to the Internet so that it can send and receive data. Health data are personal information that directly or indirectly provide information about a person’s health. This includes information about physical well-being/complaints, information about mental/psychological health. Health data are considered special categories of personal data and are subject to a particularly high level of protection.

When using HUMANOO, we collect information that you provide yourself. In addition, certain information about your use is automatically collected by us. In the following, we describe in detail which data we process about you for what purposes.

1. Downloading the app

When downloading the app, certain required information is transmitted to the app store you have selected (Google Play or Apple App Store), including the username, email address, customer number of your account, the time of download, and the unique device number. The processing of this data is carried out exclusively by the provider of the respective app store and is beyond our control.

2. Registration and setting up a HUMANOO app user account

To use one of our HUMANOO services, you must set up a HUMANOO user account. For registration, we typically collect your email address, IP address, and password. The login data that you enter to use the HUMANOO services is stored on European servers by eTherapists GmbH’s service provider.

You can decide how you want to register your user account during the registration process. We offer the following options for registering your user account:

a. Setting up a user account with an email address

Setting up a user account and using the HUMANOO service is possible using an email address.

b. Setting up a user account with a Google account

If you use the option to log in via Google, your email address and first name will be transmitted to us from your Google account. We only use this data for the purpose of registration and login. In return, Google can recognize when and how you logged in to HUMANOO through the log-in service. There is no further sharing of your use of content or services provided with Google.

c. Setting up a user account with “Sign in with Apple”

If you use the “Sign in with Apple” option, you can choose whether to transmit the email address associated with your Apple ID or a private relay address (alias) to us. The private relay address automatically forwards all emails from us to the email address associated with your Apple ID. Further information on “Sign in with Apple” can be found here: https://support.apple.com/de-de/HT210318 . There is no sharing of your use of HUMANOO content or services provided with Apple by us.

The data processing is carried out to fulfill the service and is based on the legal basis of Art. 6 para. 1 letter b GDPR.

3. Data processing when using the app

a. Automatic processing of personal data when using the app

When you use our app, we collect the following data that is technically necessary for us to provide you with the functions of our app and to ensure stability and security:

  • IP address
  • Date and time of the request
  • Time zone difference to Coordinated Universal Time (UTC)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred
  • User agent of the app
  • Operating system and its interface
  • Language and version of the app.

The legal basis for the processing of this data is Art. 6 para. 1 letter f GDPR and it serves our legitimate interest in the security and stability of our app.

The infrastructure will be operated on servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg/EU). When using AWS, a transfer of your personal data to the USA cannot be ruled out. Please refer to the section “Transfer of data to third countries” for more information. In addition, we use the New Relic service of New Relic, Inc. (USA) to evaluate access and ensure data security, which processes the data exclusively as a processor. In this context, a transfer of data to the USA cannot be ruled out. Please refer to the section “Transfer of data to third countries” for more information.

b. User profile and content data

We process the data that you provide us in your user profile and the data that we collect and process when using the app. Your information in the user profile, such as weight, movement data or dietary habits (only if you voluntarily provide them to us), usage behavior and, under certain circumstances, also access rights to your smartphone (e.g. if you want to upload a profile photo). The data processing is carried out in order to provide you with our service and is based on the legal basis of Art. 6 para. 1 letter b GDPR.

c. Health data

When using our services, processing of health data under Art. 9 para. 1 GDPR cannot be ruled out. The processing is carried out in order to tailor our services and offers to your needs. The processing of health data is only carried out with your consent under Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR. The consent is voluntary. If you do not give your consent and do not provide us with health data, we cannot adapt the recommendations to your individual needs. There are no further disadvantages. You can revoke your consent at any time by navigating to the Account section in the app menu. Here you will find the Settings section, where you can revoke or change your consent.

4. Use of activity information from connected accounts and third parties

You can import activity information from other platforms into your HUMANOO app. You must expressly agree on these platforms that you want to link these platforms with your user account to import this data. You also have the option to determine which data should be imported. You can link the following providers/platforms to your HUMANOO user account:

a. Apple Health App

With an iPhone, you can record activity and health data or import it from different apps into the Apple Health app. You must expressly agree to share this data with HUMANOO or allow HUMANOO to export data to Apple Health. You can revoke the authorization at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR and can be revoked at any time.

b. Google Fit App

With an Android smartphone, you can record activity and health data or import it from different apps into the Google Fit app. You must expressly agree to share this data with HUMANOO or allow HUMANOO to export data to Google Fit. You can revoke the authorization at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR. Humanoo’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. The app requests the following authorizations for the corresponding purpose:

  • Permission: Information about “Fitness Location”Purpose: To record your data for step, running, and cycling challenges. Your location will not be queried by us.
  • Permission: Information about “Fitness Activity”Purpose: This allows us to differentiate between different types of activity and to query the relevant data (steps, running, cycling, heart points) for challenges and training minutes of the “weekly progress” and use it.
  • Permission: Information about “Fitness Body”Purpose: This allows us to obtain information about your height and weight in order to display steps, distances, and your personal health statistics in your profile.

c. Thryve Health SDK

Thryve, a service of mHealth Pioneers GmbH (Germany/EU), allows you to connect and import activity data from various sources, including manufacturers Garmin, Fitbit, Polar, Withings, Misfit, and others, as well as sensors from your mobile phone or smartwatch.

After your explicit consent to share your data that is processed by your manufacturer or that should be queried from your mobile phone or smartwatch, we receive only a key from mHealth Pioneers GmbH for unique assignment of this data to your profile. You can determine the extent of the data yourself depending on the manufacturer. We do not receive any further profile information, such as the email address of your user account used with the manufacturer of your fitness tracker. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR and can be revoked at any time.

5. Submitting medical bills – Cooperation with hi.health (Note: Only possible in Germany)

We offer you the opportunity to submit specialist medical bills to your company health insurance. In doing so, we work together with our cooperation partner, hi.health GmbH (Austria/EU). With your consent, we transmit your data to hi.health. The legal basis for the transmission is Art. 6 para. 1 letter a of the DSGVO. The consent is voluntary. Without consent, we cannot offer you this service. Alternatively, you can submit your invoice yourself. The subsequent data processing is the sole responsibility of hi.health GmbH. Further information can be found at: https://www.hihealth.de/datenschutz/

6. Consultation with health experts and support

The HUMANOO service offers you the opportunity to contact one of our health experts or support staff via email. The use of consultation with health experts is voluntary. If you choose to use the service of an individual consultation with a health expert, they will be able to view the health data you have stored in the HUMANOO service. When you use our customer support, our support staff may access data from your user account to assist you. Data processing is generally carried out to fulfill our services and is based on the legal basis of Art. 6 para. 1 letter b GDPR. For communication with our experts, we use the Freshdesk tool provided by Freshworks Inc. (USA). As a result, data transfer to the USA is not excluded. See the section “Data transfer to third countries” for more information.

7. Video coaching

You have the option to book a video conference with a professional coach. This requires access to the camera and microphone. Data processing only occurs when you use this feature, and it is necessary to fulfill our services, based on the legal basis of Art. 6 para. 1 letter b GDPR. The technical infrastructure is provided by Twilio Inc. (USA). As a result, data transfer to the USA is not excluded. Twilio has binding corporate rules that have been approved by the supervisory authority and ensure an adequate level of data protection.

8. Communication via email, phone, etc.

When you contact us (e.g., via email or phone), the information of the requester, such as first name, last name, address, telephone number, email address, and the content of your message, is processed to handle the contact request and its processing in accordance with Art. 6 para. 1 letter b GDPR. This is done in order to communicate with you, such as by answering your questions, processing orders, or providing you with the desired information. For our internal communication, we use Google Workspace provided by Google Ireland Limited (Ireland/EU). As a result, data transfer to the USA is not excluded. See the section “Data transfer to third countries” for more information. We use the Sendgrid service provided by Twilio Inc. (USA) to send transactional and notification emails. As a result, data transfer to the USA is not excluded. Twilio has binding corporate rules that have been approved by the supervisory authority and ensure an adequate level of data protection.

9. Product Updates

We will send you regular emails about the features and updates of our product. In doing so, personal data such as your name and email address will be processed. We base the sending of these emails on our legitimate interest in providing information about existing and new services. The legal basis is Art. 6 para. 1 letter f GDPR. You can object to receiving these emails by unsubscribing using the link in the email. The emails are sent via the Sendgrid service of Twilio Inc. (USA). As a result, data transfer to the USA cannot be ruled out. Twilio has binding corporate rules that have been approved by the supervisory authority and ensure an adequate level of data protection.

We also analyze the reading behavior and opening rates of our updates. For this purpose, we collect and process pseudonymized usage data that we do not merge with your email address or IP address. The legal basis for analyzing our updates is 6 para. 1 letter f GDPR, and the processing serves our legitimate interest in optimizing our updates. You can object to this at any time by contacting us using the contact channels mentioned above.

10. Paid Services

  • Your payment information will only be processed if you use paid services. This occurs, for example, when redeeming rewards or making purchases in our online shop. When redeeming rewards, only your IBAN is processed in addition to your name, and then it is deleted. For our online shop, we process name, address, telephone number, email address, and payment information (IBAN). The data processing is carried out for the performance of the contract and is based on the legal basis of Art. 6 para. 1 letter b GDPR.For our online shop, we use the Shopify shop system for hosting, presentation, and processing of purchases. Shopify is provided by the service provider Shopify International Limited (Ireland). All data collected on our website is processed on behalf of us on the servers of Shopify International Limited. As part of the above services, data may be transmitted to the company Shopify Inc. in Canada for further processing on behalf of us. For the transfer of data to Canada as a third country, where the GDPR is not applicable law, there is an adequacy decision of the European Commission. The European Commission has decided that there is an adequate level of protection in Canada, and data transfer can be carried out in an admissible manner. To pay for products ordered in our online shop, you can choose from various options. To do this, we work with various payment providers. The payment data provided by you during the ordering process is transmitted by us to the payment service provider if this transfer is necessary to carry out the payment transaction.

    The legal basis for these data processing activities is Art. 6 para. 1 letter b GDPR. Please note that the respective payment information is processed by the relevant payment service providers as a controller.

    We use the following payment service providers:

    • PayPal
      You have the option to pay via the PayPal service of PayPal Europe S.a.r.l. et Cie s.c.a. (Luxembourg, EU). PayPal may provide us with your address data stored with PayPal, which we use exclusively to process the contract. For more information on data protection at PayPal, please visit: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE#r5 .
    • Stripe
      You have the option to use the Stripe payment service, offered by Stripe Payments Europe Ltd. (Ireland, EU). For more information on data protection at Stripe, please visit: https://stripe.com/de/privacy#translation .

11. Personalization (Google Analytics for Firebase)

We use the Google Analytics for Firebase service from the provider Google Ireland Limited (Ireland/EU) in our app. The Google Analytics for Firebase service is a feature of the Google Firebase development platform. Google Analytics is an analysis service that enables us to collect and analyze data on the behavior of users of our app in order to compile reports on activities within our app. In the process, personal data is processed in the form of online identifiers, IP addresses, device identifiers, and information on interactions with our app. For more information on data collection in Google Analytics, please visit: https://support.google.com/firebase/answer/6318039 . The data is transmitted to Google Ireland and processed on our behalf.

Some of this data may be information stored on your device. Additionally, Google Analytics may store additional information on your device. Such storage of information by Google Analytics or access to information already stored on your device is only done with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Art. 6 para. 1 letter a GDPR. The legal basis for access to your device is § 25 para. 1 TTDSG. You can revoke your consent at any time with effect for the future. The revocation option can be found in the app under Menu >> Account >> Settings >> Personalization.

Google Analytics stores certain data associated with an advertising ID for 60 days and retains aggregated reporting without automatic expiration. The retention of user-level data, including conversions, is set to up to 14 months. For all other event data, the retention is set to 2 months. Data transfer to the USA is not excluded. Please refer to the section “Data transfer to third countries.”

12. Quality improvement (Google Crashlytics)

In our app, we use the Firebase Crashlytics service provided by Google Ireland Limited (Ireland/EU). Firebase Crashlytics is a function of the Google Firebase development platform, which is a crash reporting service that helps us improve the stability and reliability of our app. To do this, various data is collected and summarized in crash reports and sent to us. The data is transmitted to Google Ireland and processed on our behalf.

Some of this data may be information that is stored on your device. Access to information that is already stored on your device will only be done with your consent. The legal basis for accessing the device is § 25 para. 1 TTDSG. If personal data is processed, the legal basis in this case is Art. 6 para. 1 letter a GDPR.

Crash reports are only sent with your explicit consent. If you are using an iOS app, you can give your consent in the app settings or after a crash. In Android apps, there is the option to generally agree to the transfer of crash notifications to Google and app developers during the setup of the mobile device.

You can revoke your consent at any time with effect for the future. The revocation option can be found in the app under Menu >> Account >> Settings >> Quality Improvement.

This data is stored for a maximum of 90 days. Data transfer to the USA is not excluded. See the section “Data transfer to third countries” for more information.

13. Sharing with companies, insurers and health insurances

We work with companies, insurers, and health insurances (HUMANOO ID issuers) who want to provide their employees or members with the HUMANOO app to improve their health. Employees or members are free to register with us. Using your professional email address when registering for the app is not required. Your professional email may only be necessary when requesting your HUMANOO ID.

Personal data will not be disclosed to companies, insurers, or health insurance funds. The data is evaluated solely in an anonymized form and, if necessary, used to create a completely anonymous health report for your HUMANOO ID issuer, provided they enable you to use our service and you choose to use this option. Anonymization is ensured in this case by creating reports only when more than 15 people within a company or department use our app. It is not possible to draw conclusions about your personal health status based on the use of our app and our services.