Privacy Policy for Mindable Apps and Digital Health Applications (DiGA)

July 30, 2024

Notice

Please note that this text is a translation of the original German Privacy Policy. Only the German version is legally binding. In case of any discrepancies or disputes, the original German text shall prevail.

1. Contact Information

Name and Contact Information of the Responsible Party

Mindable Health GmbH
Represented by Linda-Marie Weber and Eddie Rietz
Neue Grünstraße 17
10179 Berlin

E-Mail: info@mindable.health
Phone: +49 30 62923386

(hereinafter referred to as 'Mindable Health', 'we', or 'us')

Data Protection Officer

If you have questions about our data protection measures, the processing of your data, or regarding your data subject rights, you can contact us and our Data Protection Officer as follows:

External Data Protection Officer
ePrivacy GmbH
Represented by Prof. Dr. Christoph Bauer
Große Bleichen 21, 20354 Hamburg

For any questions and concerns regarding your data, feel free to reach out to datenschutz@mindable.health.

If you wish to communicate directly with our Data Protection Officer (for example, if you have particularly sensitive matters), please contact them via post, as email communication may have security vulnerabilities. Please indicate in your request that your concern relates to Mindable Health.

2. Purpose and Scope

This Privacy Policy informs you (as a user) about the nature, scope, purpose of collection, and processing of your personal data in the Mindable applications (apps) and digital health applications (DiGAs).

Under the brand 'Mindable', we offer mobile apps designed to alleviate symptoms of psychological disorders (such as social phobias, panic disorders, agoraphobia) and support their management.

The apps aim to provide and deliver appropriate disorder-related content, methods, and exercises based on established psychotherapeutic guidelines, approaches, and practices.

They can be independently used by patients in addition to regular healthcare services (e.g., to bridge waiting times, support therapy, or prevent relapses).

3. Data Processing During App Usage

During the use of the Mindable app, personal data, including sensitive health data, is processed. Personal data includes any information related to an identified or identifiable natural person. Sensitive health data includes information about an individual's physical or mental health.

The personal data described in the following sections, which you provide to us through the proper use of the app, is necessary to ensure the optimal use of the app.

The processing of this data is carried out in compliance with the requirements of the General Data Protection Regulation (GDPR). If you use the Mindable app as a billable service covered by your health insurance, the Digital Health Applications Regulation (DiGAV) further specifies and supplements the GDPR requirements.

3.1 Registration and Account Creation

To use the Mindable app, you must register and create an account. During registration, we collect personal, contact, billing, and other profile data (account data):

Email
Activation code
Self-selected username
Gender identity
Date of birth
Language settings

If you use the app as a self-payer or through a private health insurance offering and receive reimbursement from your insurance company, additional data may be collected for billing purposes, such as insurance company, insurance number, address.

This personal data is necessary to create access and an account for the app within the usage period. Additionally, we ensure that the app program is optimally tailored to your needs, and you can personalize your account with additional profile data.

The processing of account data is based on your consent (Art. 6(1)(a) GDPR) and the necessity to fulfill the contract with you (Art. 6(1)(b) GDPR). The provision of the date of birth is for the purpose of proper use (as per EU-MDR Art. 2 No. 12 in conjunction with §4 DiGAV Para. 2 No. 1), i.e., usage by persons within the specified age range. Moreover, we are required to continuously provide evidence of the medical benefit of our app (§4 Para. 2 No. 2 DiGAV) and document usage for health insurance purposes (§4 Para. 2 No. 3 DiGAV). This may include the anonymized evaluation of your sociodemographic data, such as gender or age.

3.2 Login with Biometric Data

The app provides the option to log in using biometric data such as fingerprint ('Touch ID') or facial recognition ('Face ID'), depending on your device. Biometric data is captured by technology on your mobile device and stored exclusively locally on your device. We are not responsible for executing this process and have no access to the stored data.

To use this feature, you must explicitly consent to the processing of your biometric data according to Art. 9 of the operating system.

3.3 App Program Usage

3.3.1 Health Data

During the use of the Mindable app content, we process your responses and inputs within the app. This data partly relates to your physical and mental health (e.g., responses to questions about the occurrence of disorder-related symptoms or complaints and how you handle them).

The processing of health data is based on your explicit consent under Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR to enable the proper use of the Mindable app as per §4 Para. 2 No. 1 DiGAV. Additionally, due to the approval of our apps as digital health applications, we are legally obligated under §4 Para. 2 No. 2 DiGAV to continuously provide evidence of their medical benefit. Furthermore, we are legally obligated under §4 Para. 2 No. 3 DiGAV to document usage for health insurance purposes. This may include anonymizing your data and sharing it in anonymized form exclusively with our partners for medical research purposes.

3.3.2 Technical Data

During app usage, technical connection data (log and protocol data) is processed and transmitted from your device to us.

This includes the following data:

IP address
Information about your device
Date and timestamp of access

The processing of this data is carried out under our legitimate interest as per Art. 6(1)(f) GDPR to enable access to our apps, secure our systems, and ensure that all technical functions operate correctly. This data is technically necessary and required to deliver the requested content.

3.3.3 Data for Application Development

If you explicitly consent, your usage data will be processed for the purpose of ensuring the technical functionality, user-friendliness, and continuous improvement of Mindable in accordance with §4 Para. 2 No. 4 DiGAV. This includes, for example, date, timestamp, and duration of individual activities and accessed functions.

This consent is voluntary and does not result in any advantage or disadvantage. You can withdraw your consent at any time in the app settings. The withdrawal does not affect the legality of the processing carried out based on the consent until the withdrawal.

3.4 Contact and Support

You can contact us via phone, the app, or email. When contacting us, we collect information such as your name, address, email address, and phone number to process your inquiry and, if necessary, continue correspondence. We use the service provider Zammad GmbH, located at Marienstraße 11, 10117 Berlin, for capturing, processing, and handling support requests. For email communication, we use the processor AWS, operated by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, and acting in accordance with Art. 28 GDPR.

The processing of your data is either based on the mutual legitimate interest in contacting you under Art. 6 Para. 1 lit. f GDPR or for the fulfillment of the contract under Art. 6 Para. 1 lit. b GDPR.

3.5 Legal Defense and Transmission to Authorities

If necessary, we process your data to assert legal claims and defend against legal disputes and to prevent and clarify criminal offenses. The processing is based on a balancing of interests according to Art. 6 Para. 1 lit. f GDPR, which also takes into account your legitimate interests.

If we are requested by authorities or in the context of legal disputes to provide information to authorities, courts, or other third parties, we comply with this request as long as we are legally obliged to do so. The legal basis for this is Art. 6 Para. 1 lit. c GDPR.

3.6 Anonymized Data Processing for Research Purposes

We anonymize your personal data collected during app usage to use it for research purposes. This applies to both general and health-related information. The anonymization of health data is permitted under Art. 9 Para. 2 lit. j GDPR in conjunction with § 27 Para. 1, 3 BDSG, if it is necessary for scientific research purposes and the interests of the responsible person in data processing outweigh the opposing interests of the data subjects.

We use your anonymized data exclusively for scientific research purposes to gain new insights into the effective and user-friendly implementation of therapeutic measures in digital formats.

Anonymization complies with the principle of data economy and ensures data-efficient handling of personal information.

The processing of personal data related to anonymization is based on Art. 6 Para. 1 lit. f GDPR. If you object for specific reasons, you have the right to object according to Art. 21 Para. 1 GDPR, provided it is based on specific circumstances that justify significant protection requirements.

3.7 Optional Relapse Prevention Feature

After your access to the full functionality of the app ends (e.g., after the expiration of the access code), the optional relapse prevention mode is available free of charge.

The relapse prevention mode is a special mode with limited functions that allows you to review your progress, export your data, track your symptom progression through regular checkups, and seamlessly return to full app usage in case of relapse, for example, upon receiving or purchasing a new access code.

The relapse prevention mode is optional and can be useful if you cannot use the app for an extended period or wish to fully transfer what you have learned into everyday life without app support.

This free additional feature is not part of the BfArM-verified DiGA. It is offered as part of the intended purpose of a medical device.

Activating the relapse prevention mode requires your explicit consent. Otherwise, the provisions under Section 5 “Retention and Deletion Policy” apply.

The processing of your data is based on your consent (Art. 6 Para. 1 lit. a GDPR and Art. 9 Para. 2 lit. a GDPR) and the necessity for fulfilling the contract with you (Art. 6 Para. 1 lit. b GDPR).

By giving consent under Art. 6 lit. a or b GDPR, you have the right to receive your personal data from the app in a structured, commonly used, and machine-readable format or to transmit this data to another controller without hindrance (Art. 20 GDPR).

4. Revocation of Consent

You have the option to revoke your consent at any time in your profile settings or by contacting us at datenschutz@mindable.health A revocation is only effective for processing from the time it is received. Processing that took place before the revocation is not affected. Please note that the right of revocation does not apply to anonymized data, as it is no longer possible to associate the data with you at that point.

Please note that if you revoke your consent for permissions essential to the app, your account will be automatically deleted.

5. Retention and Deletion Policy

As a rule, we do not store your personal data longer than necessary for the respective processing purposes, unless we are obligated to do so due to mandatory legal retention periods.

As long as you use your account, your data will be stored. Once your access to the app ends, your personal data will be automatically and promptly deleted.

If you have also given consent to ensure user-friendliness, your data may be stored for an additional 30 days (for apps with a usage period of less than 365 days). Deletion requires no further action on your part.

For apps with a usage period of 365 days or more, final deletion of your data will occur automatically after three months of inactivity.

Extended storage of your data beyond the usage period is only possible with explicit consent in the so-called optional “Relapse Prevention Mode” (see Section 3.6 of this Privacy Policy). In this case, the account will be maintained for an additional 365 days unless deleted earlier. Final deletion will occur after 365 days unless the app is reactivated within this time, in which case it will be deleted after three months of inactivity. No further action on your part is required for deletion.

If you want to delete your data earlier, you can do so at any time by deleting the account in your profile settings. In this case, the data will be deleted immediately, unless temporary storage is required due to legal retention obligations (e.g., commercial and tax law retention obligations). Please note that deletion cannot be undone.

For billing-relevant data, statutory retention periods of 10 years apply (§147 Para. 3 i. V. m. Para. 1 Nos. 1, 4 and 4a AO, § 14b Para. 1 UstG). We securely store billing-relevant data during this period and delete it promptly after the statutory retention periods expire.

Uninstalling our mobile application from your phone only deletes the application itself but not the data stored up to that point. To delete your data, please proceed as described above.

6. Data Recipients

We only share your personal data if you have explicitly consented, a legal basis exists, or it is necessary to enforce our rights, particularly to enforce or defend claims.

No transmission of personal data to third countries occurs, and all processing takes place within the European Economic Area.

Data processors according to Art. 28 GDPR are:

Zammad GmbH, based at Marienstraße 11, 10117 Berlin,
Open Telekom Cloud of Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn, and
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg.

7. Data Security

We are aware of the confidentiality of your sensitive data and take this responsibility very seriously. For this reason, we implement numerous measures to secure your data. Your sensitive health data is processed exclusively on servers in Germany, which are particularly secure and comply with high-security standards.

Using the app in potentially insecure environments, such as public or unsecured networks, or sharing your device with third parties, poses potential risks for unauthorized access to your data. This risk may also arise if you use the app on a shared device or telecommunication connections monitored by government authorities. We would like to point out that these risk factors are beyond our control and that your active participation in securing your data is essential.

8. Your Rights

Under certain circumstances, you can exercise specific rights regarding your personal data according to legal data protection provisions.

As a data subject, you have the following rights:

Request information about the processing of your data and receive a copy of your personal data. You can request information, for example, about the purposes of processing, categories of personal data processed, data recipients (if applicable), storage duration, or criteria for determining the duration;
Receive your data in a structured, commonly used, and machine-readable format or transfer it to another controller;
Rectify your data. If your personal data is incomplete, you have the right to complete it, considering the purposes of processing;
Have your data deleted or blocked;
Restrict the processing of your data;
Object to the processing of your data;
Withdraw your consent to the processing of your data for the future; and
Complain to the competent supervisory authority about unlawful data processing.

To exercise the rights described here, you can contact us at any time. Our contact details can be found under 'Contact Information' in this Privacy Policy.

9. Changes to the Privacy Policy

We reserve the right to update and revise this Privacy Policy as needed. Please note that all data collected by us is subject to the Privacy Policy in effect at the time of data collection.

All future changes to our Privacy Policy will be published on this page and, if necessary, communicated via email or through the app. We, therefore, recommend regularly reviewing this page to stay informed about our data processing practices.