Data Privacy App

Una Health GmbH (hereinafter "Una Health" or "we") takes the protection of your personal data seriously and would like to inform you here about the processing of personal data when using this app (hereinafter "App" or "DiGA"). 

By agreeing to this Privacy Policy, you consent to the data processing described below to the extent that such processing requires your consent.

1. person in charge

Responsible in the sense of Art. 4 No. 7 of the EU General Data Protection Regulation (DSGVO) for the processing of your personal data in connection with the use of the App is:

Una Health GmbH
Katharinenstraße 30a, Contor
20457 Hamburg
E-Mail: 
programm@unahealth.de
datenschutz@unahealth.de

2. data protection officer

Our external data protection officer is available to answer any questions you may have and to act as your contact person on the subject of data protection at our company. He can be reached at the following contact details:

heyData GmbH
Schützenstr. 5
10117 Berlin
support@heydata.eu 

3. data processing when using the app

The app is a digital therapy companion designed to help people with type 2 diabetes self-manage their disease by gradually introducing them to guideline-based and individualized dietary recommendations and behaviors to improve their health.

Users are guided throughout the program by a behavioral science program. This is designed to impart relevant knowledge and encourage self-reflection and personal goal setting, leading to effective behavior change and sustainable health improvement. Brief knowledge lessons are supplemented by daily and weekly goals and tasks, regular reminders and notifications, and the recording and visualization of relevant measurements and progress.

The digital health application supports users in changing their lifestyle based on individual insights in such a way that blood glucose control can be improved. This is achieved by identifying meals that trigger severe blood glucose fluctuations and personalized dietary recommendations. The behavioral science program supports users in the long-term implementation of the findings. 

The information within the app can be used for your own self-management or shared with your caring healthcare professional. In addition, Una Health offers free support for using the program as intended or safely. 

We process personal data solely for the purpose of using the Digital Health Application (DiGA) as intended, for proving positive effects on care as part of a trial of the DiGA in accordance with Section 139e (4) of the German Social Code, Book V (SGB V), and for providing evidence for agreements in accordance with Section 134 (1) sentence 3 of the German Social Code, Book V (SGB V). The legal basis for data processing in the DiGA is solely your consent pursuant to Art. 9 Para. 2 lit. a) DSGVO. 

The intended use of the DiGA includes any data collection and processing that is necessary, based on the requirements for a DiGA, in order to use the DiGA in accordance with its intended purpose.

You may also consent to the processing of your personal data for the purpose of permanently ensuring the technical functionality and user-friendliness of the app as well as its further development.

4. collection of personal data

Based on your consent, we only process data that you either enter manually into the app or transfer via the services mentioned in this privacy policy (e.g. for data from fitness bands).

5.  which personal data are processed

In the following, we inform you about which personal data is processed in connection with the individual functions of the app.

5.1 Downloading the app

When you download our app, the required information is transferred to the respective app store, i.e. in particular username, email address and the customer number of your account, time of download, payment information and the individual device identification number. In addition, the app store still independently collects various data and provides you with analysis results. We have no influence on this data processing and are not responsible for it. We process the data only insofar as it is necessary for downloading the app to your mobile device.

5.2  Use of the app

When using the app, we process personal data to enable the convenient use of the functions. For this purpose, we only process the data that is technically necessary for us to offer you the functions of our app and to ensure the stability and security, so that they must be processed by us. The following data is processed for this purpose during use:

  • Date and time of the request

  • Time zone difference from Coordinated Universal Time (UTC)

  • Request content

  • Access status/HTTP status code

  • Data volume transferred in each case

  • Operating system

  • Your device identification

  • Unique number of the terminal device (IMEI)

  • Unique number of the network subscriber (IMSI)

  • Mobile number

  • MAC address

5.3 Logging into the app with Touch ID/Face ID/Fingerprint

You have the option of activating the biometric identifier, depending on your end device, via your fingerprint ("Touch ID"/"Fingerprint ID") or facial recognition ("Face ID") for the login in the settings. The biometric identification is done via a technology in your mobile device and the data is only stored locally on your device and not transmitted to us. We are not responsible for the procedure.

The processing of your personal biometric data within the scope of this function is based on your prior explicit consent pursuant to Art. 9 (2) lit. a DSGVO vis-à-vis the provider of your operating system. You can also deactivate the login via biometric identifier in the app at any time.

5.4 Use of push notifications

The app uses push notifications to send meal reviews, to help you make decisions around your lifestyle, and to let you know when you've received a response from tech support. Push notifications are messages that appear on your display. The notifications are necessary for the intended use of the app as they provide real-time feedback and guide you through the program, increasing the positive health impact of the program. 

After installing the app, you will be asked if you allow notifications to be sent. You can freely decide whether you want to receive the push notifications. In case of using the push service, a device token from Apple or a registration ID from Google is assigned. These are encrypted, anonymized device IDs. The sole purpose of use is the provision of the push services. It is not possible for Una Health to draw conclusions about the individual user. The push service can be adjusted or deactivated in the app if required. 

We use the Firebase Cloud Messaging service provided by Google, Inc. Mountain View, USA. Firebase Cloud Messaging is part of the backend service platform. No other services from Firebase are used. For more information, please see Google's privacy policy at http://www.google.de/intl/de/policies/privacy.

5.5 Registration and creation of a user account

You have the option to register in the app and create a user account.

In connection with the registration, the following personal data and collected:

  • First and last name

  • E-mail address

Your data will be stored until you delete your account. The possibility to use the app ends according to § 33a SGB V with the expiration of the prescribed or approved period of use after 14 days, without the need for a cancellation. The data will then be deleted unless we need it to fulfill legal obligations.

Third parties engaged by us will store your data on their systems for as long as is necessary in connection with the provision of services for us in accordance with the respective order.

There is no legal obligation to provide your data. However, if you do not provide us with your data, it will not be possible to use the app.

5.6  Use of the Una Health Program

The app is a digital therapy companion designed to help people with type 2 diabetes self-manage their disease with the aim of improving blood glucose control. Users are supported in making changes to their individual lifestyle. They receive a report with individual findings on the postprandial blood glucose response to meals and other lifestyle activities from a previous test phase. Based on these findings, lifestyle recommendations are derived that have the potential to improve glycemic control. The behavioral science program provides structured, evidence-based, guideline-compliant diabetes self-management content. Features such as goals, documentation of diabetes-related data, and automated coaching messages facilitate the implementation of what is learned, leading to lifestyle change. 

The following data is collected when using the Una program

  • Information on meals, drinks and medication

  • Details of exercises performed

  • Information on mood, activity, stress

  • Weight and waist circumference data

  • Biological sex and date of birth

  • Qualitative descriptions of your health goals and your personal reflections on those goals.

The purpose of data processing is the safe use of DiGA in accordance with its intended purpose.

The processed data allows conclusions to be drawn about your health, it is therefore health data within the meaning of Art. 4 No. 15 DSGVO. The legal basis for the data processing by us is your consent pursuant to Art. 9 (2) a) DSGVO. You can find more information about consent under point 6.

Your data will be stored until you delete your account. The possibility to use the app ends according to § 33a SGB V with the expiration of the prescribed or approved period of use after 14 days, without the need for a cancellation. The data will then be deleted unless we need it to fulfill legal obligations.

There is no legal obligation to provide your data. However, if you do not provide us with your data, it will not be possible to use the Una Health program.

Some data may be collected from third party devices and apps, usually mobile apps that collect activity data (Apple Health, Google Fit and others). The read transfer of this data can be used on the condition that the user connects the device to the application and authorizes the transfer of the data for the purposes of the application under the conditions specified in this document. Likewise, the connection can be disabled in this way, so that data can no longer be transferred.

5.7 Import of glucose values 

Parallel to the use of the app, continuous glucose data can be collected. These can be recorded manually or read in using software from the respective manufacturer, Abbott Laboratories or Dexcom, Inc. and transmitted to Una Health.

5.8  Using the chat function

You can use a chat function within the app that allows you to communicate directly with technical support to ask questions about the program. For this purpose, your first and last name and the content you enter in the chat are processed. 

In order to be able to offer you this function, we use the Stream service of Stream.IO, Inc., 1215 Spruce St Suite 300, Boulder, CO 80302, USA (hereinafter "Stream"). We encrypt chat content end-to-end using state-of-the-art technology, which means Stream does not have access to the chat content. Your chat data is stored on AWS cloud servers in Ireland, so no data is transferred to the USA.

Your data will be stored until you delete your account. The possibility to use the app ends according to § 33a SGB V with the expiration of the prescribed or approved period of use after 14 days, without the need for a cancellation. The data will then be deleted unless we need it to fulfill legal obligations.

There is no legal obligation to provide your data. However, if you do not provide us with your data, it will not be possible to use the chat function.

6.  Integration of third party providers

In addition to the third-party providers already described above, we use other service providers in order to be able to ensure the intended use of DiGA. The service providers we use process personal data in accordance with the GDPR and are integrated by us in a data protection-compliant manner as order processors. In this respect, we have concluded contracts for commissioned processing with the third-party providers. The contractual agreement provides, among other things, that order processors undertake to comply with data protection, which includes securing your personal data through appropriate technical and organizational measures - in particular by means of encryption technologies. Our service providers store personal data exclusively in the European Union. The following third-party providers process personal data on our behalf:

6.1 IONOS

We use IONOS to host our app. The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur. When you use our app, IONOS collects various log files including your IP addresses. The legal basis for the collection of this data is Art. 6 (1) lit. f DSGVO. We have a legitimate interest in the most reliable presentation of our app. 

For more information, please refer to the IONOS privacy notice: https://www.ionos.de/terms-gtc/datenschutzerklaerung.

6.2 Rapidmail

We use Rapidmail to send transaction-related emails. This includes sending the newsletter and confirmation emails as part of the registration process. The provider is rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau. Rapidmail enables us to organize and analyze transaction-related emails.

For more information, please refer to Rapidmail's privacy policy: https://www.rapidmail.de/datenschutz

6.3 Matomo

We use the open source tracking tool Matomo (https://matomo.org/) to analyze your user behavior. Personal data concerning your activity in the app as well as device and browser information (in particular the IP address and the operating system) may be stored and analyzed.

By analyzing the data obtained, we are able to compile information about the use of the individual components of our app. This helps us to continuously improve our app and its user-friendliness.

We process your personal data only if you consent to it. The legal basis for the data processing is Art. 6 para. 1 lit. a DSGVO. You can revoke this at any time in the app settings.

Your personal information will be stored for as long as necessary to fulfill the purposes described.

For more information on the processing of data by Matomo, click here: https://matomo.org/privacy-policy/

6.4 Thryve/ mHealth Pioneers GmbH

If you as a user decide to transfer data from fitness bands or apps to the app, we use the service Thryve of mHealth Pioneers GmbH, Körtestraße 10 10967 Berlin Germany. The service processes pseudonymized data to indicate the number of steps/km.  

Further information about the service provider at: https://thryve.health/imprint/

6.4 Vital

Should you as a user decide to automatically transfer data from CGM to Una Health, the service Vital of Adept Labs Inc, 483 Green Lanes, London, N13 4BS can be used. In this respect, Vital serves us as an interface to transfer your blood glucose values from your CGM to Una Health. Your data is stored on the Google cloud platform in the EU. The storage on the servers is encrypted and the key relevant for decryption is stored outside the Google Cloud Platform.

For more information on how we handle your personal data, please visit https://tryvital.io/privacy.

7. Other data transfers to third parties

The following categories of recipients may receive access to your personal data in addition to the service providers we use:

  • Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. c DSGVO;

  • Persons appointed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities). The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. b or lit. f DSGVO.

In addition, we will only pass on your personal data to third parties if you have given your consent to do so.

8. Consent to the processing of health data

The intended use of the app requires the processing of your blood glucose levels, information about your diet, as well as mood, activity and stress, your weight and your waist circumference. This information allows conclusions to be drawn about your state of health, so that it is health data within the meaning of Art. 4 No. 15 DSGVO. Health data belong to the special categories of personal data and are subject to special protection.

We only process your health data if you have expressly consented to this. The granting of this consent is voluntary. As part of the registration process, you can consent to us processing the (health) data you enter in connection with the use of the app for the purpose of using the digital health app as intended, providing evidence of positive care effects as part of a trial pursuant to Section 139e (4) of the German Social Code, Book V (SGB V), and providing evidence for agreements pursuant to Section 134 (1) sentence 3 of the German Social Code, Book V (SGB V). You can also consent to us processing the data for the purpose of permanently ensuring the technical functionality, user-friendliness and further development of the digital health app.

You can revoke your consent at any time with effect for the future. You can exercise your right of revocation by e-mail (programm@unahealth.de) or by mail (Una Health GmbH, Katharinenstraße 30a, Contor, 20457 Hamburg). You can also revoke the consent in the settings of the app. The lawfulness of the data processing carried out until the exercise of the revocation remains unaffected. After the revocation, we will only process personal data if we are legally obliged to do so, for example for accounting reasons.

9. No data transfer to a so-called third country

Your personal data will not be transferred to companies located outside the European EU or the European Economic Area (so-called third countries).

10. Data deletion and storage period

For the processing operations carried out by us, we indicate in each case how long the data will be stored by us and when it will be deleted or blocked. If no explicit storage period is specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. This is usually the case when the user account with us is deleted. The possibility to use the app ends according to § 33a SGB V with the expiration of the prescribed or approved period of use after 14 days, without the need for termination. The data will then be deleted unless we need it to fulfill legal obligations.

Your data will also be deleted if you explicitly request us to do so or if you revoke your consent. Uninstalling the app from the respective end device does not necessarily lead to a deletion of your data. You can access your user account again after reinstallation.

However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings or if storage is provided for by statutory provisions to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

11. Data security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties (e.g., TLS encryption for data transmissions), taking into account the state of the art, implementation costs, and the nature, scope, context, and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

12. No obligation to provide personal data

We do not make the provision of the offers in our app dependent on you providing us with personal data in advance. As a user, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should be the case, you will be informed of this separately in this data protection declaration.

13. Your rights

You may assert your rights as a data subject regarding the processing of personal data concerning you at any time by contacting us using the contact details provided at the beginning of this document. You have the right as a data subject: 

  • in accordance with Art. 15 DSGVO to request information about your data processed by us. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;

  • in accordance with Art. 16 DSGVO to demand the correction of incorrect or the completion of your data stored by us without delay;

  • pursuant to Art. 17 DSGVO to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;

  • to request the restriction of the processing of your data in accordance with Art. 18 DSGVO, insofar as the accuracy of the data is disputed by you or the processing is unlawful;

  • pursuant to Art. 20 DSGVO to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");

  • object to the processing pursuant to Art. 21 DSGVO, provided that the processing is based on Art. 6 (1) p. 1 lit. e or lit. f DSGVO. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the merits of the case and either discontinue or adapt the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing;

  • in accordance with Art. 7 (3) DSGVO to revoke your consent once given - i.e. your voluntary will, made understandable in an informed manner and unambiguously by means of a declaration or other unambiguous confirming action, that you agree to the processing of the personal data in question for one or more specific purposes - at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent for the future and

  • complain to a data protection supervisory authority about the processing of your personal data in our company in accordance with Art. 77 DSGVO.

14. Update of the privacy policy

Due to changes in legal or regulatory requirements as well as the further development of technical standards and our offer, adjustments to this privacy policy may be necessary, which is why it is regularly reviewed in this respect for the need for changes or additions. The data protection declaration can therefore be changed at any time with effect for the future. 

This privacy policy is current as of August 2023.