Privacy Policy App

Privacy Policy for the App of ONVY HealthTech Group GmbH on the Processing of Personal Data (including Health Data)

A. Preface

We, ONVY HealthTech Group GmbH (hereinafter: "ONVY", "the company", "we" or "us"), take the protection of your personal data seriously and would like to inform you at this point about data protection in our company.

As part of our data protection responsibilities under the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "DS- GVO"), we have various obligations to ensure the protection of personal data of the person affected by a processing (we also address you as a data subject hereinafter with "user", "you", "you" or "data subject").

This includes, above all, the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and Art. 14 DS- GVO). With this statement (hereinafter: "Privacy Statement"), we inform you about the manner in which your personal data is processed by us.

Please be aware that when using the App, health data are part of the data processed.

B. General

1. Responsibility for your data and contact details

(1) Responsible person

The controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is ONVY HealthTech Group GmbH, Schloßstraße 19, 82031 Grünwald, Germany.

(2) Contact details

You can reach us via email: contact@onvy.health.

(3) In particular, you can reach us via these contact details if you wish to assert justified claims against us.

(4) If you have any further questions or comments regarding the collection and processing of your personal data, please also use the aforementioned contact details.

2. Definitions

Following the example of Art. 4 DS-GVO, this data protection notice is based on the following definitions:

- "Personal data" (Art. 4 No. 1 DS-GVO) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or sound recordings may also contain personal data).

- "Processing" (Art. 4 No. 2 GDPR) means any operation which involves the handling of personal data, whether or not by automated (i.e. technology-based) means. This includes, in particular, the collection (i.e., acquisition), recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended purpose on which a data processing was originally based.

- "Controller" (Art. 4 No. 7 DS-GVO) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

- "Third party" (Art. 4 No. 10 DS-GVO) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data; this also includes other group-affiliated legal entities.

- "Processor" (Art. 4 No. 8 DS-GVO) is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.

- "Consent" (Art. 4 No. 11 DS-GVO) of the data subject means any voluntary expression of will in the form of a declaration or other unambiguous affirmative act, given in an informed and unambiguous manner for the specific case, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

3. Change of privacy policy / Status

(1) In the context of the further development of data protection law as well as technological or organizational changes, our data protection notices are regularly reviewed to determine whether they need to be adapted or supplemented. You will be informed of any changes.

(2) This data protection notice is valid as of 26.08.2022.

4. No obligation to provide personal data

For you as a user, there is basically no legal or contractual obligation to provide us with your personal data. However, the use of the ONVY app is not possible if you do not provide the necessary data or do not consent to the processing of your personal data.

C. Information about the processing of your data

1. The collection of personal data concerning you

(1) When you use our app, we collect personal data about you.

(2) Personal data is all data that relates to your person (see above under General). For example, your name, your location data, your IP address, the device identifier, the SIM card number, your address and e-mail address are personal data, your fingerprint, images, movies, audio recordings, but also your user behavior falls into this category.

2. Legal bases of data processing

(1) In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

- Art. 6 (1) p. 1 lit. a DS-GVO - for health data in conjunction with Art. 9 (2) lit. a DS-GVO ("consent"): When the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;

- Art. 6 (1) p. 1 lit. b DS-GVO: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request;

- Art. 6 (1) p. 1 lit. c DS-GVO: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to keep records);

- Art. 6 para. 1 p. 1 lit. d DS-GVO: If the processing is necessary to protect vital interests of the data subject or another natural person;

- Art. 6 (1) p. 1 lit. e DS-GVO: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or

- Art. 6 (1) p. 1 lit. f DS-GVO ("Legitimate Interests"): If the processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject override (in particular if the data subject is a minor).

(2) For the processing operations carried out by us, we indicate below the applicable legal basis in each case. A processing operation may also be based on several legal bases.

3. Data collected during download

(1) When downloading this app, certain personal data required for this purpose will be transmitted to the corresponding app store (e.g. Apple App Store or Google Play).

(2) In particular, the email address, user name, customer number of the downloading account, individual device identification number, payment information and the time of the download are transmitted to the App Store during the download.

(3) We have no influence on the collection and processing of this data; rather, it is carried out exclusively by the App Store selected by you. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the App Store.

4. Data collected when using the app

(1) We can inevitably only provide you with the benefits of our app if we collect and process certain personal data about you that is required for app operation when you use it. When using the app, your personal data and, in some cases, health data are processed.

(2) We collect and process the following data from you:

- Device information: Access data includes the IP address, device ID, device type, device-specific settings and app settings and app properties, the date and time of the retrieval, time zone, the amount of data transferred and the message whether the data exchange was complete, crash of the app and operating system. This access data is processed to technically enable and improve the operation of the app.

- Your email address is required to create your profile on ONVY. The profile is created in the app. Alternatively, you can use the so-called Apple Log-In ("Log in with Apple") or the so-called Google Log-In (“Log-in with Google”). Please consult Apple's or Google’s instructions for details: "Log in with Apple" & Privacy" or “How Sign in with Google helps you share data safely”

You can voluntarily enter additional data in your profile such as: First Name, Last Name, Age, Weight, Gender, Height. This improves the function of the app or the calculated scores.

- The data from your wearables will be retrieved via Terra as shown in D.5.c. and merged with your profile information by ONVY.

- The data from the wearables may allow conclusions to be drawn about your health status and therefore constitute Health Data.

- The following data may be sent via Terra to ONVY servers operated exclusively in Germany after your approval for the respective data category (in HealthKit or via the third-party providers such as Strava) and stored and processed there:

a. Activities captured by the wearable, such as: - Steps

- Minutes of training

b. Vital signs data captured by the wearable, such as: - Breathing rate

- Heart rate

- Sleep duration

c. Other data, such as: - Birthday

- weight

- Height

- Ambient noise level

- An additional, anonymized data set is generated from your data. This means that the data is completely decoupled from your person, so that it is no longer possible to assign the data to you. As part of the anonymization process, certain data (such as age group or place of residence) are retained in order to allow ONVY to use the data in a meaningful way (e.g. for the development of algorithms). However, this data is so general that it is no longer possible to trace it back to you as an individual person.

- Furthermore, we collect anonymized data about the use of the app. In doing so, we record click events, such as the call of a specific page or function. An assignment to the person is not possible here. This data is used for the evaluation of certain functions and the prioritization of further development.

(3) The processing of your data is based on your consent given in a separate checkbox in the app to the processing of your data including special categories of personal data (health data) for the purposes mentioned (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a DSGVO).

5. Use of cookies

We do not use cookies when operating our App.

6. Data collection upon contact

(1) If you contact us by e-mail or via a contact form, then your e-mail address, your name and all other personal data that you have provided in the course of contacting us will be stored by us so that we can contact you to answer the question.

(2) We delete this data as soon as the storage is no longer necessary. If there are legal retention periods, the data will remain stored, but we will restrict the processing.

(3) The processing of the data entered in the contact form or otherwise transmitted when contacting us is based on our legitimate interest (Art. 6 para. 1 lit. f DS-GVO) in the proper response to the inquiry.

7. product information, newsletter, direct advertising and vouchers

(1) We may use the e-mail address you entered when registering in the app or, if you use the Apple Log-In or Google Log-In, the e-mail address transmitted to us by Apple or Google to send you information about the product (e.g. new functionalities) and about our own similar goods and services. You can object to this use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic rates. An informal message by e-mail is sufficient for the objection. Alternatively, you can unsubscribe from the newsletter via the corresponding link contained in each newsletter.

The legal basis for the processing of your data within the scope of this paragraph 1 is § 7 (3) UWG as well as Art. 6 (1) lit. f DS-GVO (our legitimate interest to inform you about the product or about our own similar goods and services).

(2) Insofar as you have not objected to the use of your e-mail address, ONVY may send you vouchers to your e-mail address, e.g. to enable you to use the app for an extended period free of charge or to thank you for recommendations of the app.

(3) Consequences of unsubscribing from the newsletter or objecting.

As soon as you have unsubscribed from our newsletter or objected to the further use of your email address for the purpose of information about our own similar goods and services, your email address will be stored by us or a service provider in a so-called "blacklist" to prevent you from receiving further newsletters or information from us. This is done on the basis of our legitimate interest (Art. 6 para. 1 lit. f DSGVO) in complying with legal requirements when sending newsletters or promotional information.

8. Data storage period

(1) We delete your personal data as soon as it is no longer required for the purposes for which we collected or used it. As a rule, we store your personal data for the duration of the usage or contractual relationship via the app. However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings.

(2) Third parties used by us will store your data on their system for as long as it is necessary in connection with the provision of the service for us in accordance with the contractual relationship.

(3) The data anonymized as described above under C.4.2. will not be deleted, but will be stored and processed by ONVY for an unlimited period of time.

(4) Legal requirements for storage and deletion of personal data remain unaffected by the above (e.g. § 257 HGB or § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

9. Data security

(1) We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties, taking into account the state of the art, implementation costs and the nature, scope, context

and purpose of the processing, as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

(2) We restrict access to data transmitted to us to those employees who need access. These employees are contractually obligated to comply with the statutory data protection provisions.

(3) In order to protect your data, extensive technical and organizational measures have been implemented (e.g. firewalls, encryption and authentication techniques, procedural instructions).

(4) We will gladly provide you with more detailed information on this upon request.

10. No automated decision making (including profiling)

We do not intend to use any personal data collected from you for any automated decision-making process (including profiling).

11. Change of purpose

(1) Your personal data will only be processed for purposes other than those described if a legal provision permits this or you have consented to the changed purpose of the data processing.

(2) In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.

D. Data processing by third parties / commissioned processing

(1) Personal data will be treated by us as strictly confidential and will not be disclosed to third parties, unless specified in the following paragraphs. In particular, no data will be transmitted to analysis services such as Google Analytics or social platforms such as Facebook.

(2) We may disclose personal data to government agencies/authorities to the extent necessary to fulfill a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 p. 1 lit. c DS-GVO;

(3) We may disclose personal data to persons appointed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 sentence 1 lit. b or lit. f DS-GVO.

(4) In addition, we will only disclose your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 (1) p. 1 lit. a DS-GVO.

(5) Order data processing

(a) It may happen that commissioned service providers are used for individual functions of our app. We use external service providers to process our business transactions (e.g. for the areas of IT, logistics, telecommunications, sales and marketing). They will only act on our instructions and have been contractually obligated within the meaning of Art. 28 DS-GVO to comply with the provisions of data protection law.

(b) We currently use the following processors who may have access to your personal data:

- Amazon Web Services (IT infrastructure)

- Terra (Terra Enabling Developers, Inc – see section c).

(c) An essential element of the App is the integration of data collected via so-called wearables. For this purpose, ONVY uses Terra as a service provider, which acts as an order data processor for ONVY. The service provider handles the connection and import of activity data from various sources such as fitness wristbands, fitness rings and smartwatches (e.g. Strava, Garmin, Fitbit, Oura, Apple etc. - hereinafter collectively "Wearables"). The data may not be retrieved from the provider's server (e.g. Strava), but from the "Healthkit" (iOS) or "Google Fit" (Android). Apps installed on your mobile device (e.g. the Strava app) write the data to the "Healthkit" or "Google Fit".

ONVY receives a key (so-called token) from Terra to uniquely assign the data retrieved from the different sources to your profile at ONVY. Beyond that, ONVY does not receive any other profile information about the sources from which the data originates; for example, not the email address you use for your user account with the manufacturer of your fitness tracker. Through Terra, the data is retrieved from the connected sources (and approved by you), translated (harmonized) into a standard data format, and transmitted to ONVY.

ONVY uses the data to operate the app. For this purpose, the data is also linked with the profile data provided by you (name, e-mail address, etc.) in order to be able to display it meaningfully in the dashboard.

From the data, the so-called Onvy Score is determined and displayed in the dashboard. In the process, your recovery values during sleep, your daily exercise, your "mindfulness" and your state of stress are converted into a meaningful value (score).

In some cases, ONVY transmits pseudonymized (see below for token) profile data (weight, age, gender, height) so that it can be combined with wearables data can be interpreted by Terra using algorithms developed or licensed by Terra and scores (e.g. "metabolic equivalent") can be generated. These scores are in turn transmitted to ONVY and ONVY uses them to design the dashboard.

Terra cannot associate your data with your person because Terra only knows the key (token), not your name. This means that your name and ONVY profile data are linked to the data from the wearables only by ONVY, not by Terra.

E. No transfer of personal data to third countries

Your personal data will not be transferred to countries outside the European Economic Area (EEA), i.e. to third countries.

F. Your rights

1. Right to information

(1) You have the right to obtain information about the personal data concerning you within the scope of Art. 15 GDPR.

(2) This requires a request from you to be sent either by email or by post to the addresses given above.

2. Right to object to data processing and revoke consent

(1) In accordance with Art. 21 DS-GVO, you have the right to object at any time to the processing of personal data concerning you. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the assertion, exercise or defense of legal claims.

(2) Pursuant to Art. 7(3) DS-GVO, you have the right to revoke your consent once given - i.e. your voluntary will, made understandable in an informed manner and unambiguously by a statement or other unambiguous confirming act, that you agree to the processing of the personal data in question for one or more specific purposes - at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent for the future.

(3) In this regard, please contact us using the contact details provided above.

3. Right to rectification and cancellation

(1) Insofar as personal data concerning you is incorrect, you have the right pursuant to Art. 16 DS-GVO to demand that we correct it without delay. With a request in this regard, please contact us at the contact details provided above.

(2) Under the conditions set out in Art. 17 DS-GVO, you have the right to request the deletion of personal data concerning you. With a request in this regard, please contact us at the contact details provided above. In particular, you have the right to erasure if the data in question is no longer necessary for the collection or processing purposes, if the data storage period has expired, if there is an objection, or if there is unlawful processing.

4. Right to restriction of processing

(1) In accordance with Art. 18 DS-GVO, you have the right to request that we restrict the processing of your personal data.

(2) With a request in this regard, please contact us at the contact details provided above.

(3) You are entitled to the right to restrict processing in particular if the accuracy of the personal data is disputed between you and us; in this case, you are entitled to the right for a period of time required to verify the accuracy. The same applies if the successful exercise of a right of objection is still disputed between you and us. You are also entitled to this right in particular if you have a right to erasure and you request restricted processing instead of erasure.

5. Right to data portability

(1) Pursuant to Art. 20 GDPR, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, common, machine-readable format.

(2) With a request in this regard, please contact the above contact details.

6. Right to complain to the supervisory authority

(1) In accordance with Art. 77 GDPR, you have the right to complain about the collection and processing of your personal data to the competent supervisory authority.

(2) The data protection supervisory authority responsible for ONVY HealthTech Group GmbH is:

Bavarian State Office for Data Protection Supervision

Postal address:

PO Box 1349

91504 Ansbach

Germany

Phone: +49 (0) 981 180093-0

Fax: +49 (0) 981 180093-800

Email: poststelle@lda.bayern.de