Privacy Policy

1. Introduction

We take the protection of your personal data (hereinafter referred to as “data”) seriously and comply with applicable data protection laws. 

With this privacy policy, we comply with our information obligations under Articles 12 et seq. of the General Data Protection Regulation (hereinafter referred to as the "GDPR"). This policy is intended to provide you with an overview of how we handle your personal data processed as part of your use of our services. 

The range of services includes the coobi.health web platform, the coobi clinic dashboard web dashboard and the coobi care app (collectively referred to as the “platform”).

Please read our Privacy Policy in conjunction with our Terms of Use. You can access the most current version of our Terms of Use at any time at https://www.coobi.health/terms-conditions .

​

2. Definitions​

• According to Art. 4 No. 7 GDPR, the " controller " is the party who decides on the purposes and means of processing personal data. This party determines, above all, what, how, and for what purpose personal data is processed. This party is responsible for the processing and must ensure compliance with data protection regulations.

• According to Art. 4 No. 8 GDPR, a “ processor ” is the person who acts for the controller and processes personal data on his or her behalf.

• According to Art. 4 No. 1 GDPR, “ personal data ” means all information that can be attributed to a directly or indirectly identifiable natural person (“data subject”).

• According to Art. 4 No. 2 GDPR, " processing " means all possible types of data processing. This includes, in particular, the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, linking, restriction, erasure, or destruction of personal data.

• According to Art. 4 No. 1 GDPR, “ data subject ” is the natural person to whom the data processed by the controller can be directly or indirectly attributed.

• According to Art. 4 No. 9 GDPR, “ recipient ” is the person to whom personal data is disclosed, regardless of whether this is a third party or not.

• According to Article 4 (10) GDPR, a “ third party ” means anyone other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or processor.

• According to Art. 9 (1) GDPR, " special categories of personal data " include, in particular, the health data of the data subject. This data requires a higher level of protection.

• According to Article 4 (15) GDPR, “ health data ” means personal data relating to the physical or mental health of the data subject and which reveals information about the data subject’s state of health.

• According to Art. 4 No. 11 GDPR, “ consent ” means any freely given, specific, informed and unambiguous expression of the data subject’s will in the form of a statement or other unambiguous confirmatory act (e.g. ticking a checkbox provided for this purpose) by which the data subject indicates that he or she agrees to the processing of his or her personal data.

• According to Art. 4 No. 5 GDPR, " pseudonymization " means that personal data is processed in such a way that it can no longer be attributed to a specific person without additional information. This additional information must be kept separately, and measures must be taken to ensure that the data can no longer be attributed to an identified or identifiable person.

• According to DIN EN ISO 25237, " anonymization " describes the process by which personal data is irreversibly changed, either by the data controller alone or in cooperation with another party, in such a way that the data subject can no longer be identified directly or indirectly.
   

3. Information about the responsible party

coobi acts solely as a processor for the institution that made this app available to you. The responsible party for the data processing within the meaning of Art. 28 GDPR is
 

Stigma Health GmbH
Barmbeker Str. 33
22303 Hamburg,

represented by the management.
 

If you have any questions regarding the processing of your data or the exercise of your rights as a data subject under the GDPR, we – as the controller – are available to you at any time by email to service@coobi.health . This also applies if you are unclear about a term used in this privacy policy.

 4. Information about the data protection officer

Alternatively, you can also contact our Data Protection Officer (DPO) with any inquiries. 
You can reach him or her using the following contact details:

Suraj Ghag

service@coobi.health 

If you have any questions or technical problems with our platform, you can contact us by email at info@coobi.health .

​

5. Competent supervisory authority

You can contact the data protection supervisory authority responsible for us at any time.

You can reach them using the following contact details:
 

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22
20459 Hamburg
 

Further information and current contact details can be found on the supervisory authority’s website at https://datenschutz-hamburg.de/ .

​

6. Your rights

As a "data subject" within the meaning of Art. 4 No. 1 GDPR, you are entitled to certain inalienable rights (data subject rights). We are obligated to guarantee these data subject rights and must also contractually oblige our processors to provide us with the best possible support in implementing these rights. In this respect, you are entitled to the following data subject rights:

• Right to information (Article 15 GDPR) : You have the right to receive information from us as to whether we process your personal data and, if so, which data this is and for what purpose the processing is carried out.

• Right to rectification (Article 16 GDPR) : You have the right to have inaccurate or incomplete personal data that we have stored about you corrected.

• Right to erasure (Article 17 GDPR) : You have the right to request that we erase your personal data under certain circumstances. This right exists, for example, if the data is no longer necessary for the purposes for which it was collected or if you have withdrawn your consent.

• Right to restriction of processing (Article 18 GDPR) : You have the right to restrict further processing of your personal data under certain circumstances. This right exists, for example, if you contest the accuracy of the data or if the processing is unlawful.

• Right to data portability (Article 20 GDPR) : You have the right to receive a copy of your personal data from us in a structured, common, and machine-readable format. You can also have this data transmitted to another controller, provided this is technically feasible.

• Right to object (Article 21 GDPR) : You have the right to object to the processing of your personal data for reasons related to your particular situation. We will then no longer process your data unless there are compelling legitimate grounds for the processing.

• Right to withdraw consent (Article 7 (3) GDPR) : If we process your personal data based on your consent, you can withdraw this consent at any time. This does not affect the legality of the processing until the withdrawal.

• Right to lodge a complaint with a supervisory authority (Article 77 GDPR) : You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection regulations.

​

7. Transfer of data to third parties

We and the processors we employ will only pass on your data to third parties within the meaning of Art. 4 No. 10 GDPR if:

• You have given your express consent to the transfer in accordance with Art. 6 (1) (a) GDPR and/or Art. 9 (2) (a) GDPR;

• the transfer is necessary in accordance with Art. 6 (1) (b) GDPR for the initiation or execution of a contractual relationship with you and us;

• we are legally obliged to disclose the data in accordance with Art. 6 (1) (c) GDPR, or

• the transfer is necessary pursuant to Art. 6 (1) (f) GDPR on the basis of our legitimate interest in asserting, exercising and defending legal claims and there is no reason to assume that you have an overriding, legitimate interest in not disclosing your data.

You can exercise your data subject rights at any time by contacting us in writing or electronically using the contact details provided in the "Information on the Controller" or "Information on the Data Protection Officer" sections of this Privacy Policy. In this context, we reserve the right to verify your identity using an appropriate procedure.

​

8. Data transfer to third countries

Under certain circumstances, we use service providers as data processors who are based in a third country or are part of an international organization located in a third country. A third country is a country outside the European Union (EU) or the European Economic Area (EEA) and is therefore not subject to the provisions of the GDPR. These third countries may have data protection laws that do not provide the same level of protection as the GDPR. According to Article 44 of the GDPR, the transfer of data to third countries is only permitted under certain legal conditions.

Normally, the permissibility of data transfers to third countries pursuant to Article 45 of the GDPR is based on an adequacy decision between the EU Commission and the third country in question. An adequacy decision confirms that the level of data protection in that third country corresponds to that of the GDPR. If no adequacy decision exists, the data transfer may alternatively be based on the conclusion of a contract between us and the relevant service provider pursuant to Article 46(2)(c) of the GDPR, based on the standard contractual clauses issued by the EU Commission. These clauses ensure that the service provider offers appropriate safeguards for compliance with data protection regulations, including the enforceability of data subject rights under the GDPR.

We will explicitly inform you in this privacy policy if a service provider has such a third-country connection. In this case, you consent to your personal data being transferred to this company.

​

9. Notes on data security

To ensure the best possible protection for your data, it is secured during transport using Secure Socket Layer (SSL) encryption in conjunction with Transport Layer Security (TLS) encryption. This form of encryption ensures that the data cannot be read, redirected, or modified by unauthorized third parties during transmission. 

To the extent that we store your data, this will be done exclusively in appropriately security-certified data centers within the European Union (EU) within the scope of the GDPR. We expressly reserve the right to involve external service providers for the storage and processing of your data, who, however, will only act on our behalf and in accordance with our instructions (processors). We contractually oblige the processors we use to implement technical and organizational measures (TOMs) that are suitable, based on the current state of the art, to ensure the processing of your data in compliance with data protection regulations. 

Under no circumstances will your data be passed on or sold to third parties by us or any of our contract processors without a legal basis.

​

10. Download the coobi care app, App Store

If you would like to use our coobi care app, you must first download it from your device's app store. The app is currently available for download from the Apple App Store and the Google Play Store. When you download the app, certain personal data is transmitted to the respective app store.

Data processed:

• Store account username

• E-mail address

• Content of the request

• Operating system of the device

​

Purposes of processing:

The aforementioned data is required by the operator of the respective app store in order to make the application available to you for download. This data is processed exclusively by the operator of the respective app store and is therefore beyond our control.

​

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the operator of the app store from which you download the application. Please note the data protection provisions posted in the respective app store regarding the legal basis for processing your data and the storage period.

• For information on data protection in connection with the Google Play Store, see Privacy Policy – ​​Privacy & Terms – Google .

• For information about data protection in connection with the Apple App Store, see Apple Legal - Legal - Privacy Policy - Apple . 

To provide the coobi care app, we use the provider Amazon Web Service (AWS) (Amazon Web Services Emea Sàrl, 38, Avenue John F. Kennedy, L-1855 Luxembourg). In this context, AWS acts as a processor for us within the meaning of Art. 4 No. 8 GDPR and has been obligated, on the basis of a data processing agreement (DPA), to implement and maintain appropriate technical and organizational measures (TOMs) to protect your data.

​

Storage period:

The data automatically collected and transmitted by your device will remain stored until the purpose for which it was collected no longer applies. This purpose no longer applies at the latest when the user agreement between you and us is terminated.

​

11. Use of the coobi care app, access data

While using the coobi care app, your device automatically transmits technical data to the server on which the app is running. This data is required to ensure the functionality of the app. Since no personal data is processed and the transmitted data does not relate to an identifiable natural person, the use of the app does not fall within the scope of the GDPR according to Art. 2 (1) GDPR.

12. Use of the coobi.health web platform, access data

As soon as you access the coobi.health web platform, the browser you use automatically transmits access data (so-called log files) to the hosting provider on whose servers the coobi.health web platform is hosted. These log files contain, among other things, personal data.

​

Data processed:

• IP address

• Browser type/version

• Operating system of the device

• Website from which the request comes (so-called referrer URL)

• Content of the request (specific page of the platform)

• Date and time of the request

• Time zone

• Access status/HTTP status code

• Amount of data transferred

​

Purposes of processing:

The log files are essential to ensure the technical functionality of the coobi.health web platform. In particular, the transmission of your IP address is necessary to enable the coobi.health web platform to be displayed on the device you are using. The data stored in the log files is neither merged with other data sources nor used to identify individual users of the platform. In particular, the transmitted data is not evaluated for marketing purposes.

​

Lawfulness of processing:

We base the legality of this data processing on Art. 6 (1) (f) GDPR. The necessary "legitimate interest" is based on our desire to offer you a secure and uninterrupted user experience on our platform. Otherwise, you would not be able to use our coobi.health web platform.

​

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of our coobi.health web platform, Framer, on whose servers it is operated.

In this context, the provider of Framer (Framer, Rozengracht 207B, Amsterdam, Netherlands) acts as a processor for us within the meaning of Art. 4 No. 8 GDPR and has been obliged, on the basis of a data processing agreement, to set up and maintain suitable technical and organizational measures (TOMs) to protect your data.

​

Storage period:

The log files are automatically deleted after 14 days at the latest or are anonymized in such a way that it is no longer possible to assign this data to you.

​

13. Registration and use of the user account, app 

To use the services we offer you through the coobi care app, you must first register a user account. With this user account, you can then log in to the password-protected area of ​​the coobi care app, manage your account information, and use the services. After successfully logging in, you have the option of activating additional security features, such as biometric authentication (e.g., fingerprint or facial recognition) and a PIN code.

​

Data processed:

• Access code (provided by the institution that enables you to participate in coobi care)

• Security question

• Username (may contain personal information of users)

• Gender

• Age range

• Type of addiction

• Aim of therapy

• If applicable, information on consumption habits and previous course of therapy

• If applicable, information on previous illnesses

• Biometrics, if available

​

Purposes of processing:

The processing of the data you provide during the registration process is necessary so that you can create a user account, which gives you access to our range of services. Activating additional security features such as biometrics or a PIN code serves to make access to the app more secure and user-friendly.

Lawfulness of processing:

The legality of this data processing is based on Art. 6 (1) (a) GDPR in conjunction with Art. 9 (2) (a) GDPR. Since biometrics and health data are also processed as special categories of data, your express consent to the processing of this data is required. You grant your express consent during the registration process by checking the provided checkbox. To create your user account, both your consent to the General Terms and Conditions of Use and to data processing in accordance with this Privacy Policy are mandatory in order to complete the registration process. 

​

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the application's backend, Amazon Web Service (AWS) (Amazon Web Services Emea Sàrl, 38, Avenue John F. Kennedy, L-1855 Luxembourg). In this context, AWS acts as a processor for us within the meaning of Art. 4 No. 8 GDPR and has been obligated, on the basis of a data processing agreement, to implement and maintain appropriate technical and organizational measures (TOMs) to protect your data.

​

Storage period:

The data collected from you during the registration process and stored in your user account will be stored by us only for as long as necessary to fulfill the aforementioned purposes, but no longer than until you revoke your previously granted consent. You can revoke your previously granted consent at any time within your user account. Please note that revoking your consent will also result in the deletion of your user account. Your data will then be deleted by us, unless our legitimate interests or statutory retention periods conflict with deletion.

You can also revoke your consent directly within your user account using the corresponding button in the menu bar. We would like to point out again that revoking your consent will also result in the deletion of your user account. Use of the content offered on the platform without effective consent is not possible.

​

14. Registration and use of the user account, therapist access

In addition to the user account for patients, coobi offers the option of creating a separate account for therapists to access the coobi clinic dashboard. This involves setting up a clinic admin account, which adds specialists via their email addresses and assigns them to centers. As an employee, you will receive an email invitation with a link to create an account, where you can set a password and activate your access. Personal data will be processed in this context. 

Data processed:

• E-mail address

• password

​

Purposes of processing:

The processing of this data is necessary to enable access to the coobi clinic dashboard and to ensure the secure management of patient data as well as effective therapy planning and monitoring.

Lawfulness of processing:

The legality of this data processing is based on Article 6 (1) (b) GDPR as it is necessary to fulfil the joint contract.

Recipient of the data:

The recipients of the personal data are the hosting provider Render (Render Services, Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA) and Amazon Web Service (AWS), which is used to provide servers and databases. Both providers act as data processors within the meaning of Art. 4 No. 8 GDPR and have been obligated, based on a data processing agreement, to implement appropriate technical and organizational measures (TOMs) to ensure the protection of your data.

Storage period:

The data processed within the Dashboard Account will only be stored for as long as necessary to fulfill the purpose or until the account is deactivated.

15. Use of the coobi care app, onboarding

After completing your user account registration, you will undergo a medical onboarding process as part of the application. The application can only fulfill its medical purpose based on your health-related data. Accordingly, based on this data, the application's content will be individually tailored to your specific situation.

​

Data processed:

• Gender

• Age range

• Type of addiction

• Aim of therapy

• If applicable, information on consumption habits and previous course of therapy

• If applicable, information on previous illnesses

• If applicable, name of an emergency contact

• Biometric credentials

​

Purposes of processing:

The processing of the above data is necessary so that the application can select and display appropriate content on the topic of addiction. The goal is to support you in dealing with your addiction. 

Lawfulness of processing:

The legality of this data processing is based on Art. 6 (1) (a) GDPR in conjunction with Art. 9 (2) (a) GDPR. Since health data is also processed as a special category of data, your express consent to the processing of this data is required. You give your express consent during the registration process by checking the provided checkbox. 

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the application's backend, Amazon Web Service (AWS) (Amazon Web Services Emea Sàrl, 38, Avenue John F. Kennedy, L-1855 Luxembourg). In this context, AWS acts as a processor for us within the meaning of Art. 4 No. 8 GDPR and has been obligated, on the basis of a data processing agreement, to implement and maintain appropriate technical and organizational measures (TOMs) to protect your data.

​

Storage period:

The data you provide during the onboarding process will remain stored and stored in your user account until you revoke your consent or delete your user account. Please note that revoking your consent will result in the services offered within the application no longer being available to you. 

​

Note on your data subject rights:

You may revoke your previously granted consent at any time with future effect in accordance with Art. 7 (3) GDPR. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent until the revocation.

16. Anonymization of data, further processing for research purposes

The usage data collected as part of the application is further processed in an anonymized form to gain valuable insights for addiction research. Anonymization alters the data so that it can no longer be assigned to a specific person, thus completely removing any personal reference. This anonymized data is used exclusively for research purposes and contributes to promoting the understanding and prevention of addictive behavior. Therefore, this data does not fall within the scope of the GDPR.

​

Data processed:

• Anonymized usage data

​

Purposes of processing:

We need the anonymized usage data to gain valuable insights for addiction research. From the data obtained, we can draw conclusions about addictive behavior and use them for scientific studies and the further development of prevention measures.

​

Lawfulness of processing:

We base the legality of our data processing on Article 6 (1) (a) GDPR. You grant your consent separately from the other consents given during the registration process by checking the provided checkbox. Since the data is subsequently completely anonymized and no longer contains any personal reference, it is not subject to the provisions of the GDPR.

Recipient of the data:

The recipient of the anonymized data is Amazon Web Services (AWS) (Amazon Web Services Emea Sàrl, 38, Avenue John F. Kennedy, L-1855 Luxembourg), which acts as the hosting provider and provides the technical infrastructure. Since no personal data is processed, this does not constitute processing within the meaning of data protection law.

Storage period:

Your usage data will be anonymized until you revoke your consent. Please note that anonymized data can be stored indefinitely.

17. Receiving newsletters, promotional information, HubSpot

As part of our range of services provided on behalf of the aftercare facility, we offer you the opportunity to subscribe to our newsletter. For the creation, distribution, and evaluation of our newsletter, it is necessary that your personal data be processed.

​

Data processed:

• E-mail address

• Anonymized usage data (e.g. opening and click rate)

• Registration and confirmation time

• IP address

• Log data

​

Purposes of processing:

The processing of the aforementioned data is necessary so that we can send you personalized newsletters and information and measure an anonymized evaluation of the success of our newsletters in terms of click and opening rates.

​

Lawfulness of processing:

We base the legality of this data processing on Article 6 (1) (a) GDPR. Your consent to receive our newsletter and information can be obtained via our website.

Registration for our newsletter is done using a so-called double opt-in process. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary to ensure that no one else can register using someone else's email address. Newsletter registrations are logged to provide evidence of the registration process in accordance with legal requirements.

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the service provider Hubspot (HubSpot Ireland Ltd., European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland). In this context, the provider of Hubspot acts as our data processor and has been obligated by us, based on a data processing agreement, to implement and maintain appropriate technical and organizational measures (TOMs) to protect your data.

​

Storage period:

The data we process in this context will be stored by us until you revoke your consent to receive our newsletters and information. You can revoke your previously granted consent to receive our newsletters and information at any time in the footer of the newsletters and information you receive from us or by email to info@coobi.health .
 

18. Use of support chat, Intercom

You have the option of contacting customer service via chat within the application or website. Processing your inquiries or messages via chat requires the processing of personal data you provide.

Data processed:

• Communication content

• Health data, if part of the communication

• Access code

• Security question and answer

• user name

Purposes of processing:

The data you submit during the chat will be processed solely for the purpose of processing and responding to your inquiries or messages. We use this communication channel to enable you to contact us quickly and easily and to ensure efficient service.

Lawfulness of processing: 

The legality of this data processing is based on Art. 6 (1) (a) GDPR in conjunction with Art. 9 (2) (a) GDPR. Since health data is also processed as a special category of data, your express consent to the processing of this data is required. You give your express consent during the registration process by checking the provided checkbox.

Recipient of the data:

The recipients of your personal data pursuant to Art. 4 No. 9 GDPR are the hosting provider of the Amazon Web Service (AWS) application (Amazon Web Services Emea Sàrl, 38, Avenue John F. Kennedy, L-1855 Luxembourg), the hosting provider of our coobi.health web platform Framer (Framer, Rozengracht 207B, Amsterdam, Netherlands), and the provider of the chat tool Intercom (Intercom R&D Unlimited Company, 124 St. Stephen's Green, Dublin 2, DC02 C628, Ireland). In this context, the aforementioned service providers act for us as data processors within the meaning of Art. 4 No. 8 GDPR and have been obligated, on the basis of a data processing agreement, to implement and maintain suitable technical and organizational measures (TOMs) to protect your data.

Storage period:

We will only store the processed data for as long as necessary to achieve the purposes pursued by this processing. After the communication has ended, the data will be deleted, unless there are legal retention periods that prevent deletion.

19. Use of the coobi chat, therapy and aftercare​

In addition to the support chat, a separate chat is available for communication between users and potentially with treating therapists. This chat is particularly designed to support follow-up and group therapy sessions.

Data processed:

• Communication content

• Health data, if part of the communication

• user name

​

Purposes of processing:

The processing of data transmitted in the therapy and aftercare chat serves solely to facilitate communication between users and therapists and to support the recovery process through targeted interventions. This chat promotes sustainable aftercare, helps prevent relapses, and empowers patients in crisis situations.

​

Lawfulness of processing:

The legality of this data processing is based on Art. 6 (1) (a) GDPR in conjunction with Art. 9 (2) (a) GDPR, since health data can be processed as special categories of personal data. Your explicit consent will be obtained during the registration process.

​

Recipient of the data:

The recipient of your personal data pursuant to Art. 4 No. 9 GDPR is the hosting provider Amazon Web Service (AWS). The service provider acts as a processor within the meaning of Art. 4 No. 8 GDPR and has been obligated to implement appropriate technical and organizational measures (TOMs) based on a data processing agreement.

Storage period:

The processed data will be stored only for as long as necessary to achieve the purpose. After the therapy phase or communication has been completed, the data will be deleted unless legally required to retain the data.

20. Data transfer, dashboard coobi clinic dashboard

As part of our service offering, we offer medical facilities the coobi clinic dashboard. The dashboard supports your effective outpatient addiction treatment and aftercare and offers the option of ongoing, personalized support from your therapists when using the coobi care app. Personal data is processed in this context.

​

Data processed:

• Pseudonymized user data from the coobi care app

• Aggregated statistics on usage behavior and therapy progress

• Pseudonymized information on addiction types, goals and consumption behavior

Purposes of data processing:

The processing of the aforementioned data within the coobi care app and the coobi clinic dashboard aims to optimally support medical professionals in accompanying and supporting patients with addiction disorders. The data processing thus serves to improve the quality of addiction treatment, promote self-activity and social interaction among those affected, and ensure effective aftercare. At the same time, the app supports communication between patients and treatment providers to enable individualized, needs-based care.

Lawfulness of processing:

We base the legality of this data processing on your express consent in accordance with Art. 9 (2) (a) GDPR. You grant your consent by consenting and selecting the data types you wish to share in your settings.

​

Recipient of the data:

The recipients of your personal data within the meaning of Art. 4 No. 9 GDPR and Art. 4 No. 15 GDPR are exclusively authorized medical professionals in clinics and therapy facilities that use the coobi clinic dashboard, as well as technical staff of Stigma Health GmbH who are responsible for maintenance and support of the dashboard.

Storage period:

The data will be stored for the duration of your use of the coobi care service. Upon termination of use or revocation of consent, the data will be deleted unless legally required to do so. In this case, the data will be blocked for the duration of the legally required retention period and deleted after its expiration.

21. Processing of technical inquiries, Linear

We use Linear's ticketing system to resolve technical issues. Personal data is processed in this context.

Data processed:

• Contact information

• Problem description

• Communication history regarding the problem

​

Purposes of processing:

Processing this data enables us to efficiently identify, track and resolve technical issues to ensure the smooth operation of our services.

Lawfulness of processing:

The legality of this data processing is based on Art. 6 (1) (b) GDPR, as it is necessary to fulfill our contractual obligations, in particular to resolve technical issues and to ensure the proper functioning of the app we provide.

​

Furthermore, we rely on Art. 6 (1) (f) GDPR because we have a legitimate interest in efficiently recording, tracking and resolving technical problems in order to ensure the quality of our services and to optimise the user experience.

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the provider of the ticketing system Linear (Linear Orbit Inc., 2261 Market St STE 10632 San Francisco, CA 94114, USA). In this context, Linear acts as a processor for us within the meaning of Art. 4 No. 8 GDPR and has been accordingly obligated, on the basis of a data processing agreement (DPA), to implement and maintain appropriate technical and organizational measures (TOMs) to protect your personal data.

As a precaution, we would like to point out that in connection with Linear, data transfer to third countries cannot be completely ruled out. However, Linear has committed to taking appropriate measures to prevent such data leakage by incorporating the EU Commission's Standard Contractual Clauses (SSC). Further information can be found in the "Data Transfer to Third Countries" section of this Privacy Policy.

Storage period:

The data will be stored until the end of the contract period at the latest, provided that there are no legal retention obligations that prevent deletion.

22. Data transmission, interfaces

Our app uses interfaces to securely transmit your data, collected by wearables and mobile devices, to a central platform for further processing and use. 

​

The data is transferred via the following interfaces:

• Apple Health

• Health Kit

• Garmin Connect

​

Data processed:

• Vital signs

• Activity data

​

Purposes of processing:

The processing of your personal data serves exclusively for the secure transmission between wearables, mobile devices and our coobi care app.

Lawfulness of processing:

We base the legality of this data processing on your express consent (see Art. 9 (2) (a) GDPR). You grant your consent by checking the provided checkbox during the registration process.

Recipient of the data:

The data is transmitted exclusively using secure encryption. The interface providers and the hosting provider have no access to the data themselves. 

The data collected via the interfaces is received and processed by the coobi care app. Access to the data is reserved exclusively for authorized recipients authorized by you.

Storage period:

The data is only temporarily stored for transmission and then deleted.

23. Use of cookies

​In addition to the aforementioned access data (log files), cookies may be used within the coobi.health web platform and the coobi clinic dashboard. Cookies are small text files that are automatically saved by your browser and stored on your device. These do not contain any malicious software.

It is important to note that the use of certain cookies may be necessary for technical reasons, for example, to ensure the correct functionality of the platform. These cookies, referred to as "technically necessary cookies," are to be distinguished from those that serve other purposes, such as analyzing user behavior, and are considered "technically non-essential cookies." Cookies are used on the coobi.health web platform to analyze site usage and to perform targeted optimizations. 

​

Data processed by coobi.health:

• Number of visitors

• Duration of visit

• Origin of visitors

• IP address

Data processed by coobi clinic dashboard:

• Form data (e.g. log-in information)

• Language settings

• History data (e.g. search terms entered)

Purposes of processing:

The analysis of the web platform's data serves to optimize the website and improve the user experience.

The processing of this data is necessary to ensure secure and personalized use of the dashboard and to ensure access to relevant content and functions.

​

Lawfulness of processing:

We base the legality of the data processing on the web platform on Art. 6 (1) (a) GDPR. Your consent is obtained via a cookie banner that is displayed on your first visit. The legality of the data processing on the dashboard is based on Art. 6 (1) (f) GDPR (legitimate interest), as these cookies are necessary to ensure the technical functionality and security of the dashboard.

Recipient of the data:

Recipients of your personal data in accordance with Art. 4 No. 9 GDPR are the hosting provider of our coobi.health web platform Framer (Framer, Rozengracht 207B, Amsterdam, Netherlands), on whose servers it is operated, as well as the hosting provider of the web dashboard coobi clinic dashboard, Render (Render Services, Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA) and AWS (Amazon Web Services Emea Sàrl, 38, avenue John F. Kennedy, L-1855 Luxembourg), which is used to provide servers and databases.

Both providers act as data processors pursuant to Art. 4 No. 8 GDPR and have been contractually obliged to implement appropriate technical and organizational measures (TOMs) to protect your data.

Storage period:

You have the option to prevent the use of cookies by deactivating or restricting automatic cookie storage in your browser settings. You can also manually delete cookies stored on your device. Please note, however, that deactivating cookies may result in the platform no longer functioning fully or at all.

24. Usage analysis services 

To analyze user behavior and ensure the functionality and security of our platform, we use the services LogRocket and Amazon Web Services (AWS). These services enable the collection and analysis of usage data as well as error detection and troubleshooting. This requires the processing of personal data.

​

Data processed:

• User ID

• Device information (e.g. operating system, OS version)

• Time and date of access

• Version of the application

• Session ID

• Usage statistics and performance metrics

​

Purposes of processing:

Processing the aforementioned data enables us to analyze and evaluate platform usage across different devices. This allows us to identify potential for improvement within the platform, optimize user-friendliness, and continuously improve the user experience. Our goal is to best adapt the platform and the range of services offered to user needs. This data processing contributes to the continuous improvement of the quality and functionality of our platform and thus ensures optimal service for our users.

Lawfulness of processing:

We base the legality of this data processing on Art. 6 (1) (a) GDPR. You grant your consent by checking the box provided for this purpose during the registration process to consent to the collection of data for the purpose of usage analysis. Your consent is purely optional and has no connection whatsoever with the ability to use the platform.

Recipient of the data:

Recipients of your personal data within the meaning of Art. 4 No. 9 GDPR are the providers of usage analysis services LogRocket (LogRocket, 87 Summer St, Boston, MA 02110, USA) and AWS (Amazon Web Services Emea Sàrl, 38, avenue John F. Kennedy, L-1855 Luxembourg).

In this context, the aforementioned providers act for us as data processors within the meaning of Art. 4 No. 8 GDPR and have been accordingly obliged, on the basis of a data processing agreement (AV agreement), to set up and maintain suitable technical and organizational measures (TOMs) to protect your personal data.

Storage period:

Your usage data is linked exclusively to a user ID, which makes it difficult to directly assign the data to you. This form of pseudonymization allows us to immediately remove the connection between the user ID and your personal data if you delete your user account on the platform or revoke your consent to usage data analysis. By removing the user ID, the usage data collected from you is anonymized and can therefore no longer be assigned to you. Once anonymized, usage data is retained by us for an unlimited period of time.

25. Use of local Google Webfonts 

To improve the display of the platform, we use locally hosted web fonts from Google (Google Web Fonts). To display these fonts, your browser must send your data to the hosting provider on whose servers our platform is hosted. This includes, among other things, personal data.

​

Data processed:

• IP address

• Browser type/version

• Operating system of the device

• Website from which the request comes (so-called referrer URL)

• Content of the request (specific page of the platform)

• Date and time of the request

• Time zone

• Access status/HTTP status code

• Amount of data transferred

​

Purposes of processing:

The processing of the aforementioned data, in conjunction with the use of locally hosted Google Webfonts, enables us to display the contents of our platform uniformly in different browsers and on different devices.

Lawfulness of processing:

We base the legality of this data processing on Article 6 (1) (f) GDPR. The necessary "legitimate interest" is based on our desire to offer you a secure and uninterrupted user experience on our platform.

Recipient of the data:

The recipients of your personal data pursuant to Art. 4 No. 9 GDPR are the hosting provider of the Amazon Web Service (AWS) application (Amazon Web Services Emea Sàrl, 38, Avenue John F. Kennedy, L-1855 Luxembourg), the hosting provider of the coobi clinic dashboard, Render (Render Services, Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA), and the hosting provider of our coobi.health web platform, Framer (Framer, Rozengracht 207B, Amsterdam, Netherlands). In this context, the aforementioned providers act for us as data processors within the meaning of Art. 4 No. 8 GDPR and have been obligated, on the basis of a data processing agreement, to establish and maintain suitable technical and organizational measures (TOMs) to protect your data.

Storage period:

The stored data will be deleted immediately after you have finished accessing our platform.

26. Contacting the controller

You have the opportunity to contact us at any time, including within the platform, via email or contact form, and submit inquiries. Processing your inquiry(s) requires us to take note of the personal data you provide to us as part of your inquiry.

Data processed:

• E-mail address

• Date and time of the request

• Content of the request

​

Purposes of processing:

We process the data you provide when contacting us solely for the purpose of recording, processing, and responding to your inquiry. Please note that product-related complaints may be used by us as part of our market monitoring to evaluate the quality and safety of the services offered (feedback management).

Lawfulness of processing:

We base the legality of this data processing on Art. 6 (1) (f) GDPR or on Art. 6 (1) (b) GDPR if you contact us in the context of initiating or processing a contract between you and us (e.g. user agreement for the use of the service offering). Our legitimate interest arises from our desire to answer your inquiries comprehensively and specifically and to resolve any problems with the services we offer as quickly as possible. If you submit your inquiry via a contact form offered as part of our platform, we base the legality of the data processing on Art. 6 (1) (a) GDPR. You give your consent by agreeing to the processing of your data in accordance with this data protection declaration by ticking the checkbox provided for this purpose before sending your inquiry via the contact form. 

Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the provider of the email software we use to receive and process emails. This is Google Mail (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). 

In addition, we use the chatbot of the provider Intercom (Intercom R&D Unlimited Company, 124 St Stephen's Green, Dublin 2, DC02 C628, Ireland), which also functions as a contact form.

In this context, the aforementioned providers act as data processors for us and have been obliged by us, on the basis of a data processing agreement, to set up and maintain suitable technical and organizational measures (TOMs) to protect your data.

Storage period:

We will only store the processed data for as long as necessary to process and respond to your inquiry. Afterward, we will delete the data unless there are legal retention periods that prevent deletion.

Note on your data subject rights:

You have the right to object to this processing at any time, in accordance with Art. 21 GDPR, for reasons related to your particular situation. Unless we can demonstrate compelling legitimate grounds for processing your data that override your interests, rights, and freedoms as a data subject, or if the processing serves to assert, exercise, or defend legal claims, we must cease processing. However, this only applies if the processing of your data is based on Art. 6 (1) (f) GDPR (legitimate interest).

27. Updating this Privacy Policy

We reserve the right to update this privacy policy with future effect in order to respond appropriately to changes in the law, case law, or economic circumstances. We will notify you in a timely manner of any changes we intend to make to this privacy policy. Your rights as a data subject within the meaning of the GDPR will never be restricted by any changes to this privacy policy .