With this privacy policy declaration we would like to inform you about how we process personal data. The protection of your privacy is of the utmost importance to us, which is why compliance with the legal provisions on data protection is a matter of course for us.
Name and contact details of the person responsible
Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2
13347 Berlin
Represented by:
Dr. Gandolf Finke
Dr. Jan Simon Raue
Contact:
Email: support@mika.health
Data Protection Officer
If you have any questions about our data protection measures, the processing of your data or the protection of your data subject rights, you can reach us, and our data protection officer as follows:
External data protection officer:
ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21, 20354 Hamburg
For all questions and concerns regarding your data, please contact support@mika.health
If you want to communicate directly with our data protection officer (e.g. because you have a particularly sensitive matter), please contact him by letter post, as communication by e-mail can always have security gaps. When making your request, please indicate that your request relates to Fosanis GmbH.
Personal Data
Personal data is any information about a specific or identifiable person. This includes the following categories of personal data that we process:
- Your contact details (e.g. first and last name, e-mail address, phone number)
- Online identifiers (such as user IDs, IP addresses)
- Usage data, usage time and (usage) usage profiles
- Health data (such as information on symptoms, condition, stress areas, type of cancer, type of therapy),
- Your diary entries
- Technical data related to crash reports (app version, device information, operating system, time and details about the circumstances of the problem, error codes from our server, a user identifier that allows us to determine how many users are affected by a specific problem),
- Your correspondence with us
Legal basis
We rely on the following legal bases to process your data:
- Your consent, if you have given us such (art. 6(1)(a) UK GDPR),
- the initiation or execution of a contract with you (art. 6(1)(b) UK GDPR),
- the fulfillment of legal obligations (art. 6 (1)(c) UK GDPR),
- the implementation of our legitimate interests (art. 6(1)(f) UK GDPR)
Purposes
We process your data for the following purposes:
- to provide our service in accordance with the User Agreement
- to correspond with you
- to process contracts with you
- for quality assurance and statistics
- to improve our service
- for scientific evaluation of our service
Legitimate Interests
The processing of your data aims to protect the following legitimate interests:
- the protection of our systems against misuse
Requirement or Obligation to Provide Data
Unless expressly stated, the provision of your data is not required or mandatory.
Storage duration
We store your data
- if you have consented to the processing, at most until you revoke your consent;
- if we need the data to fulfill a contract, at most for as long as the contractual relationship with you exists;
- if we use the data on the basis of a legitimate interest, at most as long as your interest in erasure or anonymization does not outweigh our interests;
- if there are statutory retention requirements, until the end of the retention periods.
If you want to revoke your consent, you can do this in the settings under "Delete user account".
Automated processing in individual cases including profiling.
We exclusively refrain from making decisions based on automated processing including profiling - which produce legal effects vis-à-vis you or which significantly affect you in a similar way.
Data recipients
Disclosure of Personal Information to Service Providers
We work with service providers who process certain data on our behalf. This is done exclusively in accordance with the applicable data protection law. In particular, we have concluded data processing agreements with our service providers - to the extent required by law - which meet the requirements of art. UK 28 GDPR and issue the service providers with instructions on how to handle the data. Through careful selection and regular checks, we ensure that our service providers take all organizational and technical measures necessary to protect your data.
Our data recipients are:
Hetzner Online GmbH
This app is hosted by an external service provider (hoster). The personal data collected by the app is stored on the hoster's servers.
These are:
- user profiles,
- information on the health of users,
- usage data,
- crash reports
Our hoster will only process your data to the extent that this is necessary to fulfill its performance obligations and will follow our instructions in relation to this data.
We use the following hoster (server location):
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Conclusion of a data processing agreement: In order to ensure data protection-compliant processing, we have concluded a data processing agreement with our hoster.
Thryve
We use the Thryve service from mHealth Pioneers GmbH (Körtestraße 10, 10967 Berlin, Germany) to read, store and process data from wearables. Information about vital data, activity data and online identifiers is collected. mHealth Pioneers GmbH has no access to other data stored by Mika. To use the service, your devices must be authorized in the app for data transfer. If you do not want this, you can end the data processing by disconnecting the connection in the app under "My Devices".
Typeform
We use services from Typeform SL, a Spanish company located in C/Bac de Roda, 163 (Local), 08018 - Barcelona for user surveys. The survey data is matched internally with the user IDs for further analysis. Providing the email address is optional for the user. If the user provides it, a follow-up email might be sent.
To withdraw your consent, please send an email to support@mikahealth.co.uk. For more information, please refer to Typeform SL's privacy policy at admin.typeform.com
Ministry of Code GmbH (MoC)
We use the services of the Ministry of Code UG (Rödingsmarkt 14, 20459 Hamburg) for the installation, maintenance and operation of our IT infrastructure, software systems and software. They manage the application, storage and monitoring software required to operate Mika. MoC can technically access all personal data of users, but may not and will not do so. We have entered into a DPA with the Ministry of Code.
Amazon Web Services (AWS)
We use AWS Services (38 Avenue John F. Kennedy, L-1855, Luxembourg) to allow users to get better suggestions from our system. Your information will be pseudonymised and processed on the AWS server in Frankfurt, Germany. The data on AWS is encrypted and only we have access to the encryption key. The following data is stored encrypted on AWS services:
- User ID (without email & name),
- user profile,
- Data about items tagged with User ID.
An data processing agreement with AWS is in place. You can find out more about data protection at AWS here: aws.amazon.com
One.com
In order to be able to send you emails as a user, we use the provider One.com. One.com is located at Carlsgatan 3, 211 20 Malmo, Sweden.
You can find out more about data protection at One.com here: www.one.com/de/
We have concluded an data processing agreement with One.com to ensure that data protection requirements are met.
Sendinblue
For sending emails to users, we use the provider SendInBlue located in 7 rue de Madrid, 75008 Paris, France. We would use SendInBlue for the following transactional emails:
- Confirmation of new user's email address
- Asking for Double OptIn email consent
- Confirmation of OptOut for email consent
- Request of user password reset
- Confirmation of user password reset
- Confirmation of user password change
- Verification of updated user-email-address
as well as for customer relationship management purposes and email marketing (if the appropriate email consent is given). You can find out more about data protection in SendInBlue's privacy policy: de.sendinblue.com
Adjust
In order to manage our marketing campaign, we make use of the tool Adjust located in Saarbrücker Str. 37A, 10405 Berlin, Germany. Users are directed to installing Mika from the Appstores through a QR link. No user related info is obtained.
You can find out more about data protection at Adjust GmbH: www.adjust.com
Optional according to user settings: Automatic collection of health-related data
We enable you to connect and import your activity and health data from different sources (such as mobile phones, smart watches, fitness trackers and other digital health services). By storing the authorization information for your account with another provider, you explicitly authorize us to transfer your data from this provider to your account with us (the legal basis for this right is art. 20 UK GDPR).
The collection of this information is voluntary and not necessary for the use of Mika. The basis for the processing of your data is your consent, art. 6(1)(a) and 9(2)(a) UK GDPR. You can revoke this consent at any time. Further information on your data protection rights can be found under paragraph 4 of the rights of data subjects.
For this purpose, we integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Köörtestraße 10, 10967 Berlin. mHealth Pioneers GmbH has no access to other data stored by Mika.
Scope of the automatically collected data
If your authorization information has been stored, the following data relating to your health, for example, can be automatically collected and stored when using Mika with your consent: Activities like steps, sleep duration and sleep phases.
Personal data is only stored in encrypted form.
Transfer to third countries
We transfer personal data to countries outside of the United Kingdom. This transfer takes place on the basis of contractual regulations provided for by law, which are intended to ensure adequate protection of your data and which you can review on request.
Your rights
Your rights as a data subject are as follows:
- To request information about how your data is processed and to receive a copy of your personal data. Among other things, you can demand information regarding the purposes of data processing, the personal data categories that are processed, the recipients of such data (in case as such data is transferred), storage periods or the criteria for determining such storage periods.
- To receive personal data relating to you in a structured, commonly used and machine-readable format or to transfer it to another controller or person responsible.
- To rectify your data. If your personal data is incomplete, you are entitled to complete it under consideration of the purposes pursued by such data processing.
- To have your data deleted or blocked.
- To restrict the extent to which your data is processed.
- To object to the processing of your data.
- To revoke your consent to your data being processed with future effect.
- To lodge a complaint with the relevant supervisory authority regarding unlawful data processing.
Please note that uninstalling the app will not delete your data. To delete your data, please delete your user account as described below.
If you would like to revoke your consent to data processing by Mika and your data stored by Mika should be deleted, you can revoke your consent to data processing in the Mika app via Settings > Delete user account - without affecting the legality of the data processing that took place before the revocation and thus block your account.
Before the blocking (and only before the blocking), we can transfer your data to you if you write to us at support@mikahealth.co.uk with this wish. Your data will then be archived in accordance with the statutory storage obligation from the time of blocking, will no longer be processed after archiving and can no longer be viewed. After the deadline, the data will be deleted.
The blocking cannot be undone.
Your data is no longer available to you from the moment it is deleted. Mika can then no longer perform the services described in our terms and conditions, can no longer establish a connection to your account for you and can no longer understand whether you are or were a Mika user. Any remaining period of use that may have already been paid for expires without the possibility of offsetting or reimbursement.
If the deletion contradicts other statutory, contractual, tax or commercial retention requirements or other statutory reasons, your account can only be permanently blocked instead of being deleted.
Status of the data protection declaration
If our processes change, we adjust the information.
Status of this data protection declaration: 05.04.2023
Privacy policy
The purpose of this privacy policy is to inform you about how we process
personal data. The protection of your privacy is of paramount importance to us,
for which reason we ensure compliance with statutory provisions on data
protection as a matter of course.
This privacy policy contains information for all our visitors in the EU, UK,
Switzerland and United States of America. In case legal grounds have been
stated by referencing the General Data Protection Regulation (GDPR), all
information also corresponds to the UK GDPR respectively. All information given
pertains to visitors from all locations unless stated
otherwise.
1. Name and contact details of the responsible party
Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2,
13347 Berlin Germany
Email: support@mika.health
2. Data protection officer
If you have any questions regarding our data protection measures, the
processing of your data or about the protection of your rights as a data
subject, you can reach us and our data protection officer as
follows:
External data protection officer:
ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21, 20354 Hamburg, Germany
For all questions and concerns regarding your data, please contact
support@mika.health
Should you wish to communicate directly with our data protection officer
(for example, because you have a particularly sensitive concern), please
contact them by letter post since communication by email can always pose
certain security risks. Please state in your enquiry that your concern relates
to the company Fosanis GmbH.
3. Security measures
All information collected by using Mika is only stored and transferred by
using state of the art encryption. To ensure the highest level of security for
your personal information, we have implemented an Information Security
Management Systems (ISMS) based on ISO 27001. Our Information Security Officer
in conjunction with our Data Privacy Officer ensure that all information
processing is done to the highest standards.
Our ISMS includes processes and counter measures to efficiently and quickly
deal with possible data breaches, vulnerabilities and other factors that could
have an impact on data security. All of our employees undergo regular
information security and data privacy trainings. The effectiveness of our ISMS
is audited on an annual basis by an independent body.
Our service providers are carefully reviewed to ensure a compliant handling
of personal information. For our app we only utilize hosting providers for our
app that have been certified based on ISO 27001, ISO 27017 (cloud information
security) and ISO 27018 (data protection for cloud services). This includes
HIPAA compliance where required.
4. Use of your
data when using our app
We collect and process your personal data to render our health services via
the app’s content to you whenever you use our app. This may include data
processing to ensure the technical safety of the app, to bill, invoice or
otherwise receive compensation from your health insurance, health care provider
or company. We may also store some data on your device to provide the app’s
functionality.
4.1. Data categories and legal grounds
Our app may collect the following data categories to provide its functionality:
Contact information (e.g. name, address, email address, telephonenumber)
Health information (e.g. medical indication, symptoms,
information on your current health progress, diary entries, stress factors,
type of therapy)
Online identifiers and technical information (e.g. IP address,
device ID, user ID, crash reports)
Messages you send us within the app
We’re processing your data based on your voluntary consent (Art. 9(2)(a)
GDPR for health data and Art. 6(1)(a) GDPR for all other data) and, where applicable,
as part of performing our obligations to you based on a service contract (Art.
6(1)(b) GDPR).
4.2. Recipients of your personal information
The following companies provide services to us within the performance of our
app and may therefore receive some of your personal information:
- Amazon Web Services (38 Avenue John F. Kennedy, L-1855,
Luxembourg): hosting of our app.
- Thryve (mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin,
Germany): middleware to allow connecting our app to external devices and
smartphone services
- Typeform (Typeform SL, Calle de Pallars 108 (Attico) 08018
Barcelona, Spain): form and survey tool
- Sendinblue (7 rue de Madrid, 75008 Paris, France): email service
provider
Google: Google Ireland Limited Gordon House, Barrow Street Dublin
4, Ireland: email management
4.3. Storage duration
We store your personal information until you revoke your consent by deleting
your account. You can do this at any time within the app itself. Please be
aware that this cannot be reversed.
If we’re rendering our services to you as part of a service contract then we
store your data until the contract has been terminated, unless you delete your
account beforehand.
5. Data
collection to improve our app
When you register, you have the choice to consent to us using some of your
personal data to improve our app and for the scientific evaluation of our
services.. This includes enhancing the usability of our app as well as
analysing the effectiveness of features and overall user experience. Based on
your consent we may aggregate some of your data to create statistics about the
use of Mika and share that with our Pharma partners to improve the user
experience. The statistics will not allow to identify you. No personal
information will be shared with third parties.
6. Data privacy rights
Please be aware that the following rights can only be invoked for as long as
we process your personal information. In cases where we anonymize information
(e.g. Section 5), we are not able to identify you any more and as such cannot
fulfil any data privacy rights in that regard.
6.1. Right to access of information
You may request information pursuant to Art. 15 GDPR on how your personal
data is processed and to receive a copy of your personal data. Among other
things, you can demand information regarding the purposes of data processing,
the personal data categories that are processed, the recipients of such data
(in case as such data is transferred), storage periods or the criteria for
determining such storage periods.
6.2. Right to rectification
In case of inaccurate or incomplete personal data, you have the right to
have this data rectified or completed.
6.3. Right to erasure of personal data
You have the right to inquire about the erasure of your personal data, if
- the personal data is no longer necessary for the purposes it was
collected for,
- you withdraw consent and no other legal grounds for processing said
data exist,
- you object to the processing (see 5.6) and no overriding
legitimate interests in processing the personal data exist,
- your personal data has been unlawfully processed,
your personal data must be erased for compliance with EU or
national law.
6.4. Right to restriction of processing
You may inquire about restricting the processing of your personal data under
the following circumstances:
- You contest the accuracy of your personal data and data
processing needs to be restricted during the verification period,
- The processing is unlawful, but you oppose the erasure of your
personal data,
- Personal data is no longer needed by us, but you require us to
keep this data for the establishment, exercise or defence of legal claims,
- You have objected to the processing (see 5.6). Your data’s
processing would be restricted in the time we require to review your request
and to verify that no legitimate grounds override your request.´
6.5. Right to data portability
You have the right to receive a copy of your personal data that you provided
to us in a structured, commonly used and machine-readable format.
6.6. Right to object
In cases where we’re processing your personal data based on a legitimate
interest, you have the right to object to the processing on grounds relating to
your particular situation.
You may also object against the processing of your personal data for direct
marketing purposes.
6.7. Right to complaint
If you’re of the opinion that certain data processing is violating data
privacy requirements, you may lodge a complaint with a relevant supervisory
authority. The competent supervisory authority for Mika in the EU is:
Berliner Beauftragte für Datenschutz
Alt-Moabit 59-61
10555 Berlin
mailbox@datenschutz-berlin.de
7. CCPA rights
The CCPA provides for consumers from California with specific rights
regarding their personal information. This section will inform you about your
rights. Please see section 2 on how to get in contact with us.
7.1. Right to know
You may request information on what personal information we have collected,
used, shared, or sold about you, and the purposes for such data processing for
a period of the last 12 months preceding your request. In case you invoke your
right to know, we will provide you with the following information free of
charge:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which your personal information
was collected from
- The purposes for which the personal information is used
- The categories of third parties with whom we shares the personal
information
- The categories of information that we sell or disclose to third
parties. Please be aware that we do not sell your personal information.
7.2. Right to delete
You may request from us to delete your personal information. In case we
receive such a request, we will require our service providers (see section 4.)
to do the same. Please be aware that invoking this right may affect our
provided services. Depending on which information your require us to delete, we
may not be able to provide you with the desired services that would require
this information.
7.3. Right to opt-out
You may request that we don’t sell or share your personal information
(“opt-out”) for cross-context behavioral advertising, which is the targeting of
advertising to you based on your personal information and obtained from your
online activity across numerous websites. We do not sell your personal
information. For information we share with Google and Meta (see sections 4.4
and 4.5), you can withdraw your consent at any time time in our cookie banner.
7.4. Right to non-discrimination
We will not discriminate against you for exercising your CCPA rights. This
includes but is not limited to the following aspects:
- We will not charge you a different rate or price for exerting
your rights.
- We will not deny you access to any of our services.
- We will not provide you with a different level or quality of our
services.
7.5. Right to correct
Should he have incorrect information about you, you may require us to
correct the incorrect personal information.
7.6. Right to limit
You have the right to require us to limit the use of your sensitive personal
information to the services you requested. Sensitive information may include
your social security number, financial account information, your precise
geolocation data or genetic data.
Date of this privacy policy: 12.03.2024