top of page

Privacy Policy

Provides information on how your personal data is processed when you visit and use this website.

1. Preamble

Stigma Health GmbH (hereinafter: Stigma Health, provider), based in Berlin, operates the website www.coobi.health (hereinafter: website) and the coobi cope app, a digital wellbeing companion for better digital habits (hereinafter: coobi cope, app, service, product) for Android and iOS.

The following data protection information provides information on what types of personal data of coobi cope users and users of the website are processed for what purposes and to what extent. The data protection information applies to all processing of personal data carried out by Stigma Health, both in the context of the provision of services and in particular on the website and in the coobi cope app, which users can install on their mobile device, as well as within external online presences, such as in the social media profiles of Stigma Health (hereinafter collectively referred to as "online offer").

2. Responsible body and data protection officer

Responsible for the collection, processing and use of personal user data within the meaning of the General Data Protection Regulation (GDPR) is

Stigma Health GmbH
Mariendorfer Damm 1
12099 Berlin Berlin, Germany
support@coobi.health

In addition to the controller, users can also contact Stigma Health’s data protection officer if they have any questions about their data or this privacy policy or wish to assert their rights as a data subject:

Paul Aretin, Stigma Health GmbH, Mariendorfer Damm 1, 12099 Berlin Berlin, Germany support@coobi.health

3. Collection, processing and use of personal data

3.1) Personal data

"Personal data" within the meaning of the GDPR means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data (e.g. email address, nutritional data in the app) is only processed by the provider in accordance with the provisions of the applicable data protection law. The following provisions provide information on the type, scope and purpose of the collection, processing and use of personal data.

3.2) Collection of data when using the coobi website

Your data processed when using our website will be deleted or blocked as soon as the purpose for its storage ceases to apply, provided the deletion of the same does not conflict with any statutory storage obligations or unless otherwise stipulated below.

Log files:

 

Each time you access our website, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected: the types and versions of the browser used, the operating system used by the accessing system, the website from which an accessing system reaches our website (so-called referrers), the sub-websites accessed via an accessing system on our website, the date and time of access to the website, an internet protocol address (IP address), the internet service provider of the accessing system, and any other similar data and information that may be used in the event of attacks on our information technology systems. This data is collected for the purpose of ensuring a smooth connection to our website, ensuring the reliable operation of our website, evaluating system security and stability, and for other administrative purposes. The legal basis for this data processing is Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes for data collection listed above. The log files are regularly deleted after one week, unless there is a need to investigate concrete indications of unlawful use.

Data Retention Periods: The collected log files are retained for a period necessary to ensure network and information security, typically no longer than 30 days, unless there is a need to extend this period for investigating concrete indications of unlawful use.

Specific Third-Party Data Processors: In addition to internal analytics, we may engage third-party services for website analytics, which include but are not limited to Google Analytics. These services help us understand user behavior on our website and are used in compliance with GDPR.

Mailing lists:

 

When you subscribe to our free newsletter, the data requested from you for this purpose, i.e. your email address and optionally your name and address, will be processed by us. When you subscribe to our newsletter, we also store the IP address of the computer system you are using at the time of registration, as well as the date and time of registration. During the registration process, we will obtain your consent to receive this newsletter and the type of content it will contain, as well as to the processing of your personal data for the purpose of sending the newsletter. The data collected as part of the registration for the newsletter will be used exclusively to send our newsletter. Subscribers may be notified by email about circumstances relevant to the service or registration (such as changes to the newsletter offer or technical conditions). The legal basis for sending the newsletter is your consent pursuant to Art. 6(1)(a) GDPR. The legal basis for the logging of the data as part of the registration process is Art. 6(1)(f) GDPR. Our legitimate interest arises from the fact that we can prove that the recipient has given their consent. You may revoke your consent to receive our newsletter at any time with future effect in accordance with Art. 7(3) GDPR. All you have to do is inform us that you wish to unsubscribe or you can use the unsubscribe link provided in every newsletter.

Contact:

When you contact us by email or through a contact form, the data you provide will be used for the purpose of processing your request. We require this data in order to process and respond to your request; otherwise, we may not be able to fully answer your request or not at all. The legal basis for this data processing is Art. 6(1)(b) GDPR, provided your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the legal basis is Art. 6(1)(f) GDPR, where our legitimate interest is to respond to your request as a customer-friendly and service-oriented company. We will delete your data when your request has been fully answered and there is no further legal obligation to store your data, such as if an order or contract resulted from it.

3.3) Personal Data When Using the Coobi cope App

3.3.1) Mandatory Information for Creating a Personalized User Account To use the Coobi cope app, users are required to provide their "email address" and "password". These details are essential for user identification and for communication between Coobi cope and the user. The user’s email address, along with any other data, is not visible to other users. The data storage and management of the user accounts are facilitated by Auth0, a robust authorization platform, ensuring enhanced security and streamlined user experience. Auth0's implementation aligns with Art. 6 para. 1 lit. a GDPR and aids in maintaining high standards of data protection and privacy.

Auth0 provides a secure, scalable solution for user authentication and identity management. It offers advanced security features such as multi-factor authentication, single sign-on, and universal login capabilities, which significantly enhance the security and integrity of user data. By leveraging Auth0, Coobi cope ensures that user credentials are managed in a secure environment, minimizing the risk of unauthorized access and data breaches.

In addition to email and password, Auth0 allows for a seamless integration of other sign-in methods, such as social login options, depending on user preference and device capabilities. This integration is designed to offer users a flexible, user-friendly, and secure way of accessing their coobi cope accounts, while maintaining compliance with relevant data protection regulations.

The use of Auth0 for authorisation purposes is based on each user's consent, as per Art. 6 para. 1 lit. a GDPR. The collected data is strictly used for authentication and communication purposes within the scope of coobi cope's services, ensuring that users' privacy and data security are upheld at all times.

3.3.2) Using the App with the 'Sign in with Apple' Feature iOS users have the option to sign into the Coobi cope app using the 'Sign in with Apple' button. When using Apple ID for sign-in, users can choose to either hide or share their personal email address with Coobi cope. By selecting 'Hide email address', a generic alias address is created through Apple's email relay service, which forwards messages from Coobi cope to the user's private email address. 'Sign in with Apple' employs two-factor authentication, eliminating the need for an additional password. More information about this feature and its settings can be found at: Apple Support Link.

3.3.3) Using the App with 'Continue with Google' Users have the option to create or link a coobi cope account with their Google account. This is possible when selecting the 'Continue with Google' option during the account registration process on the website and within the app. coobi cope collects and stores personal data from the user's Google account, including email address and, optionally, first and last names, and the user's profile picture. Users can adjust their privacy settings for data transfer to Coobi cope in their Google account settings. More details on this function and its settings are available at: Google Support Link.

3.3.4) Data provided by the user When creating a personalised user account, in addition to the mandatory information (email address and password).

coobi cope also collects data provided by the user via a personalised or anonymous user account, which can be entered when using the app. This includes a user profile consisting of the following, but not exhaustive, data:

Age gender Digital Activities Goal (e.g. regain control) Helphistory (e.g. online community) Pre-existing medical conditions Name of support contact Activity in exercises/modules Journalling input Notification settings Status of the app user (PRO subscription available: yes/no) Success days/Failure days Mood information HRV Measurement information Stress index Craving Scores Feedback on Modules Favourite Craving Strategies Language preferences

The data is collected on the basis of the user's consent in accordance with Art. 6 para. 1 lit. a GDPR. The provision of this data is necessary in order to be able to use the functions of the app. This data is used exclusively for the stated purposes and cannot be viewed by third parties.

3.3.6) Data collected automatically by coobi cope When the app is installed, the following data is collected once

Date of installation, Date of registration, Operating system of the device used (Android/iOS) Country and language (based on locale: The "locale" is a set of settings that contains the locale parameters (location parameters) for computer programmes. These primarily include the language of the user interface, the country and settings for the character set, keyboard layout, number, currency, date and time formats). The collection of this data serves to improve and personalise our services and is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

3.3.7) Data collected during the use of the app During the use of the app, coobi cope also collects the respective Version of the app used, device, device size, current time zone. coobi cope also records user activity using LogRocket. This service is instrumental in identifying usability issues and enhancing user experience. LogRocket collects activity data, browser type, and operating system, but it does not include personally identifiable information. The collection of this data serves to improve and personalise the services offered and is based on coobi cope legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

3.3.9) Contractual relationship and payment procedure If a contractual relationship between the user and coobi cope is to be established, developed or amended, coobi cope stores personal data of the user on the basis of Art. 6 para. 1 lit. b GDPR (see list of personal data under sections 3.3.5. to 3.3.7.), insofar as this is necessary for the implementation of the contract. The user has the option of purchasing the PRO version of the coobi cope app as part of a subscription via an in-app purchase, optionally with a free trial period of 7 days at the beginning (trial subscription). If the user decides to purchase the PRO version or start the trial, they will be forwarded directly to the Apple App Store or Google Play Store via the order button, depending on their operating system.

When forwarding to the relevant app store, coobi cope transmits the start and end date, the cancellation date of subscriptions, if applicable, as well as the reason for cancellation (e.g. after a possible cancellation). The data for payment processing is collected directly by the app stores. The app stores' privacy policies can be viewed here:

Apple App Store: https://www.apple.com/privacy/

Google Play Store: https://policies.google.com/privacy

Payment transactions are subject to the terms and conditions and data protection notices of the respective payment service providers, which can be accessed on the respective websites or transaction apps:

4. Data exchange with third parties

Stigma Health takes the protection of personal user data very seriously. Stigma Health therefore treats personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. coobi cope therefore only collects and stores data that is provided by third-party providers on the basis of the respective user consent in accordance with Art. 6 para. 1 lit. a GDPR and transmits corresponding data to them. Subject to legal or contractual authorisations, coobi cope processes or has the data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are met. Processing is carried out, for example, on the basis of special guarantees, such as compliance with officially recognised special contractual obligations ("standard contractual clauses").

If the EU Commission does not consider the third country to have the same level of data protection as the EU, coobi cope ensures that the European level of data protection is maintained in accordance with Art. 46 para. 1, para. 2 lit. c GDPR by using standard contractual clauses (SCC) and binding corporate rules. Nevertheless, it is possible under certain circumstances that authorities in a third country may access user data for control and monitoring purposes and that neither effective legal remedies nor data subject rights can be enforced.

If the user has consented to the storage of their data, they have the right to revoke their consent at any time with effect for the future. In this case, their personal data will be deleted immediately. The user's personal data will also be deleted without their revocation if coobi cope has processed their enquiry or the user has revoked their consent to storage. This also occurs if storage is not permitted for other legal reasons.

As part of our commitment to providing a secure and efficient user experience, we integrate various third-party services and data processors into our operations. The following outlines the nature and purpose of these integrations:

  1. LogRocket: We use LogRocket, a service that helps us understand and improve user interactions with our mobile application. LogRocket records user activity. This service is instrumental in identifying usability issues and enhancing user experience. LogRocket collects activity data, device type, and operating system, but it does not include personally identifiable information. The processing is based on our legitimate interest in optimizing our mobile application in accordance with Art. 6(1)(f) GDPR.

  2. Auth0: Auth0 is our authentication and identity management service. It processes data necessary for securely managing user logins and authentication, including email addresses and encrypted passwords. This processing is essential for the performance of our contract with users, as per Art. 6(1)(b) GDPR. Auth0 does not get any usage information of the user.

  3. Happitech: We utilize Happitech for gathering photoplethysmography measurements via smartphone cameras. This service processes only data required to conduct the measurements (phone camera RGB channels, Accelerometry, etc.) and does not access or store any other personal data from the user’s device. The processing of this data is based on the user’s consent according to Art. 6(1)(a) GDPR.

  4. Secure Storage and Local Async Storage: We employ secure storage and local async storage solutions on user devices to enhance app performance and user experience. These technologies store data locally on the user's device and sync with our servers as needed. The data stored may include user preferences, app settings, and operational data. This processing is necessary for the performance of our services as outlined in Art. 6(1)(b) GDPR.

  5. Data Transfer and Security Measures: We ensure that all third-party services comply with GDPR standards for data protection and security. Where data is transferred outside the EU/EEA, we implement appropriate safeguards such as standard contractual clauses approved by the European Commission.

Users have the right to object to this processing and can exercise this right by contacting us using the details provided in Section II. For more information on how these third-party services process data, users are encouraged to consult their respective privacy policies.

5. Contact & customer support

Stigma Health uses the business communication platform "Calendly" from Calendly LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA, on the website. With the help of Calendly, appointments can be made simply and easily during the application process. The applicant must provide data such as name, e-mail address and telephone number. This data may also be transmitted to Calendly on servers outside the European Union. Data processing for the purpose of making appointments is carried out in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, on the basis of the consent voluntarily given by the user and Stigma Health's interest in an effective appointment arrangement.

Further information on data protection can be found in Calendly's privacy policy: https://calendly.com/privacy.

6. Surveys

The website uses the provider Tally, a drag-and-drop construction kit for creating interactive forms, funnels, quizzes and landing pages, from Tally BV, August van Lokerenstraat 71, 9050 Gent, Belgium. The user can contact the provider using the online forms created with the help of Tally. All the user has to do is enter their request and any additional data requested, such as their name and contact details, and then send it off. User enquiries are processed in Gmail.

7. Newsletter/Mailings

When you subscribe to our free newsletter, the data requested from you for this purpose, i.e. your email address and optionally your name and address, will be processed by us.When you subscribe to our newsletter, we also store the IP address of the computer system you are using at the time of registration, as well as the date and time of registration. During the registration process, we will obtain your consent to receive this newsletter and the type of content it will contain, as well as to the processing of your personal data for the purpose of sending the newsletter. The data collected as part of the registration for the newsletter will be used exclusively to send our newsletter. Subscribers may be notified by email about circumstances relevant to the service or registration (such as changes to the newsletter offer or technical conditions).The legal basis for sending the newsletter is your consent pursuant to Art. 6(1)(a) GDPR. The legal basis for the logging of the data as part of the registration process is Art. 6(1)(f) GDPR. Our legitimate interest arises from the fact that we can prove that the recipient has given their consent.You may revoke your consent to receive our newsletter at any time with future effect in accordance with Art. 7(3) GDPR. All you have to do is inform us that you wish to unsubscribe or you can use the unsubscribe link provided in every newsletter.

The aforementioned service providers are used on the basis of the legitimate interests of Stigma Health pursuant to Art. 6 para. 1 lit. f GDPR and an order processing contract pursuant to Art. 28 para. 3 sentence 1 GDPR.

8. Use of web analytics, marketing and retargeting tools

Stigma Health uses various tools or plugins for web analysis, remarketing and retargeting on the basis of the user's consent within the meaning of Art. 6 para. 1 lit. a GDPR. Cookies are used, the IP address is forwarded and/or various types of data are collected and analysed. This includes, for example, the number of website visitors, visit duration, average page load time, origin of visitors. The purpose of using these cookies is to be able to compile more targeted offers for coobi cope users.

In detail:

8.1) Instagram Functions and content of the Instagram service may be integrated within the coobi cope app and on the website. The provider is Meta Platforms Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA. This may include, for example, content such as images, videos or texts and buttons with which users can express their liking of the content, subscribe to the authors of the content or subscribe to our posts. If the user is also a member of the Instagram platform, Instagram can assign access to the above-mentioned content and functions to the user profile there. More about Instagram's privacy policy at: http://instagram.com/about/legal/privacy/

8.2) Twitter Functions and content of the Twitter service, offered by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, may be integrated on the provider's website. In particular, this may include buttons with which the user can share the website link. If a user is a member of the Twitter platform, Twitter can assign access to the above-mentioned content and functions to the user's profile there.

Twitter privacy policy: https://twitter.com/privacy

8.3) TikTok The coobi website and coobi cope app may include functions and content from the TikTok service offered by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380 Ireland. This may include, for example, content such as videos and buttons with which users can express their favour regarding the content, subscribe to the author of the content or the provider's contributions.

If the user is a member of the TikTok platform, TikTok can assign the access to the above-mentioned content and functions to their profile there. The information generated by the pixel about the user's use of this website is transmitted to several TikTok servers, including in third countries such as the USA, and stored there. However, if IP anonymisation is activated on this website, TikTok will truncate the user's IP address within member states of the European Union or in other states party to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to TikTok servers in third countries and truncated there. On behalf of the operator of this website, TikTok will use this information to analyse the user's activities on the website, to compile reports on website activities and to provide the website operator with further services associated with the use of the website and the Internet.

TikTok offers extensive data protection information at https://www.tiktok.com/legal/privacy-policy.

8.4) YouTube Both the coobi website and the coobi cope app may also include functions and content from the YouTube service offered by YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066 USA. This may include content such as videos with which users can express their favour regarding the content, subscribe to the author of the content or the provider's contributions.

If the user is a member of the YouTube platform, YouTube can assign access to the above-mentioned content and functions to their profile there. The information generated by the plugin about your use of this website is transmitted to a YouTube server in the USA and stored there. However, if IP anonymisation is activated on this website, the user's IP address will first be truncated by YouTube within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a YouTube server in the USA and truncated there. On behalf of the operator of this website, YouTube will use this information to analyse the user's activity on the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage.

YouTube's privacy policy can be found at https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/

9. Deletion of user data

Stigma Health stores the user's personal data for the duration of use of the app. If the user account is deleted, the email address, username and links to third-party providers are permanently and irretrievably deleted.

10. Resetting the user account

The user has the option of resetting their account and deleting all existing information recorded other than profile information.

11. Rights of the user

The user has the following rights, which - with the exception of Section 14.9 - can be asserted with the controller or the data protection officer. The contact details can be found in Section 1.

11.1) Right to information (Art. 15 GDPR) The user has the right to request information free of charge at any time about their personal data stored by Stigma Health, its origin and recipients, the purpose of data processing, the planned duration of data storage, including a copy of the personal data that is the subject of processing.

11.2) Right to rectification (Art. 16 GDPR) In addition, the user has the right to have incorrect or incomplete personal data corrected or completed without delay at any time.

11.3) Right to withdraw consent (Art. 7 para. 3 GDPR) The user has the right to withdraw their consent to data processing at any time and with effect for the future, without the need for a reason for withdrawal.

11.4) Right to erasure (Art. 17 GDPR) Under the conditions of Art. 17 GDPR, the user can request the erasure of their personal data. Their right to erasure depends, among other things, on whether the data concerning them is still required by Stigma Health to fulfil its legal obligations.

11.5) Right to restriction of processing (Art. 18 GDPR) Under the conditions of Art. 18 GDPR, the user may request the restriction of the processing of personal data concerning him/her.

11.6) Right to data portability (Art. 20 GDPR) The user has the right to receive the personal data they have provided in a structured, commonly used and machine-readable format or to transmit those data to another controller, provided that the processing is based on consent and the processing is carried out by automated means.

11.7) Right to object (Art. 21 GDPR) Users can exercise their right to object to the creation of user profiles and the processing of their personal data at any time, provided that the processing is based on Art. 6 para. 1 lit. e or f GDPR. Personal data will no longer be processed unless there are compelling legitimate grounds that outweigh the interests, rights and freedoms of the user. If a user's personal data is used for the purpose of direct marketing, the user naturally has the right to object to such processing at any time.

11.8) Right not to be subject to an automated decision (Art. 22 GDPR) The user has the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning him or her or similarly significantly affects him or her

11.9) Right to lodge a complaint (Art. 77 GDPR) Furthermore, the user has the right to lodge a complaint with a supervisory authority at the supervisory authority responsible for the provider:

Berliner Beauftragte für Datenschutz und Infromationsfreiheit:


Meike Kamp Alt-Moabit 59-61 10555 Berlin
Tel.: +49 30 13889-0
Fax: +49 30 2155050
Mail: mailbox@datenschutz-berlin.de
Web: https://www.datenschutz-berlin.de/

12. Version and updating of this privacy policy

This privacy policy is currently valid and was last updated in January 2024.

Due to the further development of our website and our product or due to changed legal requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed and printed out at any time on the website at https://www.coobi.health/privacypolicy

bottom of page