Kaia Health Software GmbH
Managing Directors: Konstantin Mehl and Manuel Thurner
PROLIANCE GmbH / www.datenschutzexperte.de
Data Protection Officer
Terms such as "personal data," "processing," "pseudonymisation," "profiling," "controller," "processor" as well as any other terms according to Art. 4 GDPR have the same meaning as defined in the GDPR.
When processing your personal data in the context of the purposes set out in this Policy, we may, depending on the circumstances, rely on one or more of the following legal bases:
Health data, processing based on Art 9 (2) (a) GDPR consent.
Visitors and users of the app (hereinafter, data subjects in general will also be called "Users").
All data is collected directly from the end user about the use of the app. When filling out feedback or self-test forms or at the end of an exercise, this information is transmitted to the Kaia server via an encrypted TLS connection and stored in an appropriately secured database.
This app includes the functionality of video recording a user‘s exercise sessions. This feature will only be enabled after getting explicit consent from the user immediately before an exercise session by means of a dedicated screen (Art. 6 (1) lit. a) and Art. 9 (2) lit. a) DSG-VO). The video recording will automatically end with the exercise session. The recording can be stopped at any time by cancelling the exercise session. Yet, within a timeframe of 24h the video recording will start again when the next exercise session is started. If you decide to allow the recording, please ensure that no other persons are visible in the camera frame or those persons also consent to this agreement.
The video recordings will be processed to improve the functionality of the app. In particular, the following processing steps will occur:
We will save the video recordings for the duration of 3 years, we will not share the data with third parties, and we aim to anonymize the data as soon as possible. The data will be transferred to us in an encrypted way.
Finally, our app can use push notifications to send you notifications.
When you use the app for the first time, you will be asked if you want to activate these functions in your settings menu. If you do not enable or later disable these features, you may not be able to take full advantage of the app.
The information you provide when setting up your account in the app may include your name, user name, email address, gender, country of residence, telephone number, payment data and details of your condition. When you register for an account with us, you also have a unique password with which you can access your account.
We have taken appropriate technical and organizational security measures in accordance with Art. 32 GDPR, taking into account the state of technology, implementation costs as well as nature, scope, circumstances and purposes of the processing and the different likelihood and severity of any risks to the rights and freedoms of natural persons, to protect your personal data against unintentional or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and any other unlawful or unauthorized forms of processing under applicable law.
Such measures include in particular, ensuring confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, input, disclosure, security of availability and its separation. In addition, we have established procedures that ensure the exercise of the rights of data subjects, deletion of data and reaction to data risks. In addition, we take into account the protection of personal data when developing or selecting the hardware, software and procedures in line with the principle of data protection through technology design and data protection-friendly presettings (Art. 25 GDPR).
If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant them access to the data, this shall only take place on the basis of a legal permission, if you have given consent, if this is required by law or based on our legitimate interests (e.g. when involving third parties to host the servers, deliver e-mail contact forms as well as response to enquiries through the form).
If we commission third parties with the processing of data based on a so-called "processing contract," this will be done on the basis of Art. 28 GDPR.
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosure or transmission of data to third parties, this will only be done to fulfill our (pre-)contractual obligations, based on your consent (with corresponding precise information and specifying those third countries), if required by law or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are fulfiled. This means that the processing is carried out e.g. on the basis of specific guarantees, such as the officially recognized level of data protection corresponding to that of the EU (e.g. for the US through the 'Privacy Shield') or compliance with officially recognized special contractual obligations (so-called 'standard contractual clauses').
Please note that the level of data protection of such third countries is lower than the level of protection of the European Union.
You have the right to request confirmation as to whether relevant data are being processed and to request information about such data as well as further information and a copy of the data pursuant to Art. 15 GDPR.
Pursuant to Art. 16 GDPR you have the right to request completion of the data concerning you or correction of any incorrect data concerning you.
Pursuant to Art. 17 GDPR, you have the right to request that the relevant data will be deleted immediately or, alternatively, pursuant to Art. 18 GDPR, to request a restriction of the processing of data.
You have the right to request provision of the data concerning you that you have provided to us pursuant to Art. 20 GDPR and to request their transfer to other controllers.
You also have the right to file a complaint with the competent supervisory authority pursuant to Art. 77 GDPR.
Bavarian Data Protection Authority (BayLDA)
91522 Ansbach, Germany
Phone: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
If certain data processing is based on your consent, you have the right to withdraw your consent at any time pursuant to Art. 7 (3) GDPR with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You may object to the future processing of your data at any time pursuant to Art. 21 GDPR. Such objection may be made in particular against processing for direct marketing purposes (see also below).
We use your information to communicate with you and to keep you informed about our activities and events and those of third parties in which you may be interested, and to make suggestions and recommendations to you and other users of our website and app about products or services that may interest you or them (direct marketing). Our goal is to send you only direct marketing directly related to the usage of the product. We provide this information to you by email (subject to your prior consent, if required by law), push notifications on our app, targeted ads on our app and third-party platforms, text, social media or telephone.
'Cookies' are small files that are stored on the users' computers. Different types of information can be stored by such cookies. A cookie is primarily used to store the information about a user (or the device where the cookie is stored) during or after his/her visit to a website. Temporary cookies, or 'session cookies' or 'transient cookies' are cookies that are deleted after a user has left a website and closes his/her browser. Such a cookie may store e.g. the contents of a shopping cart in an online store or a login jam. Cookies are 'permanent' or 'persistent' if they remain stored even after the browser has been closed. For example, the login status can be saved if users visit again after several days. Similarly, such a cookie can also store the users' interests, which are used for range measurement or marketing purposes. 'Third-party cookie' refers to cookies that are offered by providers other than the person responsible for operating the website (otherwise, if only their cookies are used, they are called 'first-party cookies').
If users do not want cookies stored on their computer, they are asked to disable the relevant option in their browser's system settings. Stored cookies can be deleted in the browser's system settings. However, the exclusion of cookies can lead to functional restrictions of this online offer.
We use hosting services for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage and database services, security services and technical maintenance services, which we use to operate this app.
We or our hosting provider process user data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this app, based on our legitimate interests in the efficient and secure provision of this app pursuant to Art. 6 (1) (f) GDPR in conjunction with Art. 28 GDPR.
Based on our legitimate interests within the meaning of Art. 6 (1) (f) GDPR, we or our hosting provider collect data on every access to the server where this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Data that need to be retained further for evidence purposes are exempted from deletion until final clarification of the respective incident.
When contacting us (for example, by contact form, e-mail, telephone, or via social media), the user's information will be processed to process the contact request pursuant to Art. 6 (1) (b) GDPR. The user's information may be stored in a customer relationship management system ('CRM System') or a comparable request organization.
We delete inquiries once they are no longer required. We check the necessity every two years; in addition, the legal archiving obligations apply.
Based on our legitimate interests (i.e. interest in analysis, optimization and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use content or services offered by third-parties in our online offer in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as 'content').
Please note that your contractual relationship with PayPal is independent of your contractual relationship with Kaia.
Kaia uses the service of the payment service provider braintree. braintree is a company of PayPal, Inc. which processes credit card payments. Your personal data will only be passed on to "Braintree" for the purpose of processing the online order. The data protection regulations are identical to those of Paypal. Details on data protection at Braintree can be found here: https://www.paypal.com/us/webapps/mpp/ua/privacy-full.
|Data Controller||BAA required and in place?||DPA required and in place?||Privacy shield required and in place?|
|Hosting / Infrastructure|
|Firebase Crashlytics/App Distribution||No||Yes||Yes|
|Amazon Web Services||Yes||Yes||Yes|
|Product Improvement and Marketing Analytics|