Privacy policy - Mika app

With this privacy policy declaration we would like to inform you about how we process personal data. The protection of your privacy is of the utmost importance to us, which is why compliance with the legal provisions on data protection is a matter of course for us.

Name and contact details of the person responsible

Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2
13347 Berlin

Represented by:

Dr. Gandolf Finke
Dr. Jan Simon Raue

Contact:

Email: support@mika.health

Data Protection Officer

If you have any questions about our data protection measures, the processing of your data or the protection of your data subject rights, you can reach us, and our data protection officer as follows:

External data protection officer:

ePrivacy GmbH

represented by Prof. Dr. Christoph Bauer

Große Bleichen 21, 20354 Hamburg

For all questions and concerns regarding your data, please contact support@mika.health

If you want to communicate directly with our data protection officer (e.g. because you have a particularly sensitive matter), please contact him by letter post, as communication by e-mail can always have security gaps. When making your request, please indicate that your request relates to Fosanis GmbH.

Personal Data

Personal data is any information about a specific or identifiable person. This includes the following categories of personal data that we process:

  • Your contact details (e.g. first and last name, e-mail address, phone number)
  • Online identifiers (such as user IDs, IP addresses)
  • Usage data, usage time and (usage) usage profiles
  • Health data (such as information on symptoms, condition, stress areas, type of cancer, type of therapy),
  • Your diary entries
  • Technical data related to crash reports (app version, device information, operating system, time and details about the circumstances of the problem, error codes from our server, a user identifier that allows us to determine how many users are affected by a specific problem),
  • Your correspondence with us

Legal basis

We rely on the following legal bases to process your data:

  • Your consent, if you have given us such (art. 6(1)(a) UK GDPR),
  • the initiation or execution of a contract with you (art. 6(1)(b) UK GDPR),
  • the fulfillment of legal obligations (art. 6 (1)(c) UK GDPR),
  • the implementation of our legitimate interests (art. 6(1)(f) UK GDPR)

Purposes

We process your data for the following purposes:

  • to provide our service in accordance with the User Agreement
  • to correspond with you
  • to process contracts with you
  • for quality assurance and statistics
  • to improve our service
  • for scientific evaluation of our service

Legitimate Interests

The processing of your data aims to protect the following legitimate interests:

  • the protection of our systems against misuse

Requirement or Obligation to Provide Data

Unless expressly stated, the provision of your data is not required or mandatory.

Storage duration

We store your data

  • if you have consented to the processing, at most until you revoke your consent;
  • if we need the data to fulfill a contract, at most for as long as the contractual relationship with you exists;
  • if we use the data on the basis of a legitimate interest, at most as long as your interest in erasure or anonymization does not outweigh our interests;
  • if there are statutory retention requirements, until the end of the retention periods.

If you want to revoke your consent, you can do this in the settings under "Delete user account".

Automated processing in individual cases including profiling.

We exclusively refrain from making decisions based on automated processing including profiling - which produce legal effects vis-à-vis you or which significantly affect you in a similar way.

Data recipients

Disclosure of Personal Information to Service Providers

We work with service providers who process certain data on our behalf. This is done exclusively in accordance with the applicable data protection law. In particular, we have concluded data processing agreements with our service providers - to the extent required by law - which meet the requirements of art. UK 28 GDPR and issue the service providers with instructions on how to handle the data. Through careful selection and regular checks, we ensure that our service providers take all organizational and technical measures necessary to protect your data.

Our data recipients are:

Hetzner Online GmbH

This app is hosted by an external service provider (hoster). The personal data collected by the app is stored on the hoster's servers.

These are:

  • user profiles,
  • information on the health of users,
  • usage data,
  • crash reports

Our hoster will only process your data to the extent that this is necessary to fulfill its performance obligations and will follow our instructions in relation to this data.

We use the following hoster (server location):

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen

Conclusion of a data processing agreement: In order to ensure data protection-compliant processing, we have concluded a data processing agreement with our hoster.

Thryve 

We use the Thryve service from mHealth Pioneers GmbH (Körtestraße 10, 10967 Berlin, Germany) to read, store and process data from wearables. Information about vital data, activity data and online identifiers is collected. mHealth Pioneers GmbH has no access to other data stored by Mika. To use the service, your devices must be authorized in the app for data transfer. If you do not want this, you can end the data processing by disconnecting the connection in the app under "My Devices".

Typeform

We use services from Typeform SL, a Spanish company located in C/Bac de Roda, 163 (Local), 08018 - Barcelona for user surveys. The survey data is matched internally with the user IDs for further analysis. Providing the email address is optional for the user. If the user provides it, a follow-up email might be sent.

To withdraw your consent, please send an email to support@mikahealth.co.uk. For more information, please refer to Typeform SL's privacy policy at admin.typeform.com

Ministry of Code GmbH (MoC)

We use the services of the Ministry of Code UG (Rödingsmarkt 14, 20459 Hamburg) for the installation, maintenance and operation of our IT infrastructure, software systems and software. They manage the application, storage and monitoring software required to operate Mika. MoC can technically access all personal data of users, but may not and will not do so. We have entered into a DPA with the Ministry of Code.

Amazon Web Services (AWS)

We use AWS Services (38 Avenue John F. Kennedy, L-1855, Luxembourg) to allow users to get better suggestions from our system. Your information will be pseudonymised and processed on the AWS server in Frankfurt, Germany. The data on AWS is encrypted and only we have access to the encryption key. The following data is stored encrypted on AWS services:

  • User ID (without email & name),
  • user profile,
  • Data about items tagged with User ID.

An data processing agreement with AWS is in place. You can find out more about data protection at AWS here: aws.amazon.com

One.com

In order to be able to send you emails as a user, we use the provider One.com. One.com is located at Carlsgatan 3, 211 20 Malmo, Sweden.

You can find out more about data protection at One.com here: www.one.com/de/

We have concluded an data processing agreement with One.com to ensure that data protection requirements are met.

Sendinblue

For sending emails to users, we use the provider SendInBlue located in 7 rue de Madrid, 75008 Paris, France. We would use SendInBlue for the following transactional emails:

  • Confirmation of new user's email address
  • Asking for Double OptIn email consent
  • Confirmation of OptOut for email consent
  • Request of user password reset
  • Confirmation of user password reset
  • Confirmation of user password change
  • Verification of updated user-email-address

as well as for customer relationship management purposes and email marketing (if the appropriate email consent is given). You can find out more about data protection in SendInBlue's privacy policy: de.sendinblue.com

Adjust

In order to manage our marketing campaign, we make use of the tool Adjust located in Saarbrücker Str. 37A, 10405 Berlin, Germany. Users are directed to installing Mika from the Appstores through a QR link. No user related info is obtained.

You can find out more about data protection at Adjust GmbH: www.adjust.com

Optional according to user settings: Automatic collection of health-related data

We enable you to connect and import your activity and health data from different sources (such as mobile phones, smart watches, fitness trackers and other digital health services). By storing the authorization information for your account with another provider, you explicitly authorize us to transfer your data from this provider to your account with us (the legal basis for this right is art. 20 UK GDPR).

The collection of this information is voluntary and not necessary for the use of Mika. The basis for the processing of your data is your consent, art. 6(1)(a) and 9(2)(a) UK GDPR. You can revoke this consent at any time. Further information on your data protection rights can be found under paragraph 4 of the rights of data subjects.

For this purpose, we integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Köörtestraße 10, 10967 Berlin. mHealth Pioneers GmbH has no access to other data stored by Mika.

Scope of the automatically collected data

If your authorization information has been stored, the following data relating to your health, for example, can be automatically collected and stored when using Mika with your consent: Activities like steps, sleep duration and sleep phases.

Personal data is only stored in encrypted form.

Transfer to third countries

We transfer personal data to countries outside of the United Kingdom. This transfer takes place on the basis of contractual regulations provided for by law, which are intended to ensure adequate protection of your data and which you can review on request.

Your rights

Your rights as a data subject are as follows:

  • To request information about how your data is processed and to receive a copy of your personal data. Among other things, you can demand information regarding the purposes of data processing, the personal data categories that are processed, the recipients of such data (in case as such data is transferred), storage periods or the criteria for determining such storage periods.
  • To receive personal data relating to you in a structured, commonly used and machine-readable format or to transfer it to another controller or person responsible.
  • To rectify your data. If your personal data is incomplete, you are entitled to complete it under consideration of the purposes pursued by such data processing.
  • To have your data deleted or blocked.
  • To restrict the extent to which your data is processed.
  • To object to the processing of your data.
  • To revoke your consent to your data being processed with future effect.
  • To lodge a complaint with the relevant supervisory authority regarding unlawful data processing.

Please note that uninstalling the app will not delete your data. To delete your data, please delete your user account as described below.

If you would like to revoke your consent to data processing by Mika and your data stored by Mika should be deleted, you can revoke your consent to data processing in the Mika app via Settings > Delete user account - without affecting the legality of the data processing that took place before the revocation and thus block your account.

Before the blocking (and only before the blocking), we can transfer your data to you if you write to us at support@mikahealth.co.uk with this wish. Your data will then be archived in accordance with the statutory storage obligation from the time of blocking, will no longer be processed after archiving and can no longer be viewed. After the deadline, the data will be deleted.

The blocking cannot be undone.

Your data is no longer available to you from the moment it is deleted. Mika can then no longer perform the services described in our terms and conditions, can no longer establish a connection to your account for you and can no longer understand whether you are or were a Mika user. Any remaining period of use that may have already been paid for expires without the possibility of offsetting or reimbursement.

If the deletion contradicts other statutory, contractual, tax or commercial retention requirements or other statutory reasons, your account can only be permanently blocked instead of being deleted.

Status of the data protection declaration

If our processes change, we adjust the information.

Status of this data protection declaration: 05.04.2023

Privacy policy

The purpose of this privacy policy is to inform you about how we process personal data. The protection of your privacy is of paramount importance to us, for which reason we ensure compliance with statutory provisions on data protection as a matter of course.

This privacy policy contains information for all our visitors in the EU, UK, Switzerland and United States of America. In case legal grounds have been stated by referencing the General Data Protection Regulation (GDPR), all information also corresponds to the UK GDPR respectively. All information given pertains to visitors from all locations unless stated otherwise.

1. Name and contact details of the responsible party

Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2,
13347 Berlin Germany
Email: support@mika.health

2. Data protection officer

If you have any questions regarding our data protection measures, the processing of your data or about the protection of your rights as a data subject, you can reach us and our data protection officer as follows:

External data protection officer:

ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21, 20354 Hamburg, Germany

For all questions and concerns regarding your data, please contact support@mika.health

Should you wish to communicate directly with our data protection officer (for example, because you have a particularly sensitive concern), please contact them by letter post since communication by email can always pose certain security risks. Please state in your enquiry that your concern relates to the company Fosanis GmbH.

3. Security measures

All information collected by using Mika is only stored and transferred by using state of the art encryption. To ensure the highest level of security for your personal information, we have implemented an Information Security Management Systems (ISMS) based on ISO 27001. Our Information Security Officer in conjunction with our Data Privacy Officer ensure that all information processing is done to the highest standards.

Our ISMS includes processes and counter measures to efficiently and quickly deal with possible data breaches, vulnerabilities and other factors that could have an impact on data security. All of our employees undergo regular information security and data privacy trainings. The effectiveness of our ISMS is audited on an annual basis by an independent body.

Our service providers are carefully reviewed to ensure a compliant handling of personal information. For our app we only utilize hosting providers for our app that have been certified based on ISO 27001, ISO 27017 (cloud information security) and ISO 27018 (data protection for cloud services). This includes HIPAA compliance where required.

4. Use of your data when using our app

We collect and process your personal data to render our health services via the app’s content to you whenever you use our app. This may include data processing to ensure the technical safety of the app, to bill, invoice or otherwise receive compensation from your health insurance, health care provider or company. We may also store some data on your device to provide the app’s functionality.

4.1. Data categories and legal grounds

Our app may collect the following data categories to provide its functionality:

Contact information (e.g. name, address, email address, telephonenumber)

Health information (e.g. medical indication, symptoms, information on your current health progress, diary entries, stress factors, type of therapy)

Online identifiers and technical information (e.g. IP address, device ID, user ID, crash reports)

Messages you send us within the app

We’re processing your data based on your voluntary consent (Art. 9(2)(a) GDPR for health data and Art. 6(1)(a) GDPR for all other data) and, where applicable, as part of performing our obligations to you based on a service contract (Art. 6(1)(b) GDPR).

4.2. Recipients of your personal information

The following companies provide services to us within the performance of our app and may therefore receive some of your personal information:

  • Amazon Web Services (38 Avenue John F. Kennedy, L-1855, Luxembourg): hosting of our app.
  • Thryve (mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin, Germany): middleware to allow connecting our app to external devices and smartphone services
  • Typeform (Typeform SL, Calle de Pallars 108 (Attico) 08018 Barcelona, Spain): form and survey tool
  • Sendinblue (7 rue de Madrid, 75008 Paris, France): email service provider

    • Google: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland: email management

4.3. Storage duration

We store your personal information until you revoke your consent by deleting your account. You can do this at any time within the app itself. Please be aware that this cannot be reversed.

If we’re rendering our services to you as part of a service contract then we store your data until the contract has been terminated, unless you delete your account beforehand.

5. Data collection to improve our app

When you register, you have the choice to consent to us using some of your personal data to improve our app and for the scientific evaluation of our services.. This includes enhancing the usability of our app as well as analysing the effectiveness of features and overall user experience. Based on your consent we may aggregate some of your data to create statistics about the use of Mika and share that with our Pharma partners to improve the user experience. The statistics will not allow to identify you. No personal information will be shared with third parties.

6. Data privacy rights

Please be aware that the following rights can only be invoked for as long as we process your personal information. In cases where we anonymize information (e.g. Section 5), we are not able to identify you any more and as such cannot fulfil any data privacy rights in that regard.

6.1. Right to access of information

You may request information pursuant to Art. 15 GDPR on how your personal data is processed and to receive a copy of your personal data. Among other things, you can demand information regarding the purposes of data processing, the personal data categories that are processed, the recipients of such data (in case as such data is transferred), storage periods or the criteria for determining such storage periods.

6.2. Right to rectification

In case of inaccurate or incomplete personal data, you have the right to have this data rectified or completed.

6.3. Right to erasure of personal data

You have the right to inquire about the erasure of your personal data, if

  • the personal data is no longer necessary for the purposes it was collected for,
  • you withdraw consent and no other legal grounds for processing said data exist,
  • you object to the processing (see 5.6) and no overriding legitimate interests in processing the personal data exist,
  • your personal data has been unlawfully processed,
    • your personal data must be erased for compliance with EU or national law.

6.4. Right to restriction of processing

You may inquire about restricting the processing of your personal data under the following circumstances:

  • You contest the accuracy of your personal data and data processing needs to be restricted during the verification period,
  • The processing is unlawful, but you oppose the erasure of your personal data,
  • Personal data is no longer needed by us, but you require us to keep this data for the establishment, exercise or defence of legal claims,
  • You have objected to the processing (see 5.6). Your data’s processing would be restricted in the time we require to review your request and to verify that no legitimate grounds override your request.´

6.5. Right to data portability

You have the right to receive a copy of your personal data that you provided to us in a structured, commonly used and machine-readable format.

6.6. Right to object

In cases where we’re processing your personal data based on a legitimate interest, you have the right to object to the processing on grounds relating to your particular situation.

You may also object against the processing of your personal data for direct marketing purposes.

6.7. Right to complaint

If you’re of the opinion that certain data processing is violating data privacy requirements, you may lodge a complaint with a relevant supervisory authority. The competent supervisory authority for Mika in the EU is:

Berliner Beauftragte für Datenschutz
Alt-Moabit 59-61
10555 Berlin
mailbox@datenschutz-berlin.de

7. CCPA rights

The CCPA provides for consumers from California with specific rights regarding their personal information. This section will inform you about your rights. Please see section 2 on how to get in contact with us.

7.1. Right to know

You may request information on what personal information we have collected, used, shared, or sold about you, and the purposes for such data processing for a period of the last 12 months preceding your request. In case you invoke your right to know, we will provide you with the following information free of charge:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which your personal information was collected from
  • The purposes for which the personal information is used
  • The categories of third parties with whom we shares the personal information
  • The categories of information that we sell or disclose to third parties. Please be aware that we do not sell your personal information.

7.2. Right to delete

You may request from us to delete your personal information. In case we receive such a request, we will require our service providers (see section 4.) to do the same. Please be aware that invoking this right may affect our provided services. Depending on which information your require us to delete, we may not be able to provide you with the desired services that would require this information.

7.3. Right to opt-out

You may request that we don’t sell or share your personal information (“opt-out”) for cross-context behavioral advertising, which is the targeting of advertising to you based on your personal information and obtained from your online activity across numerous websites. We do not sell your personal information. For information we share with Google and Meta (see sections 4.4 and 4.5), you can withdraw your consent at any time time in our cookie banner.

7.4. Right to non-discrimination

We will not discriminate against you for exercising your CCPA rights. This includes but is not limited to the following aspects:

  • We will not charge you a different rate or price for exerting your rights.
  • We will not deny you access to any of our services.
  • We will not provide you with a different level or quality of our services.

7.5. Right to correct

Should he have incorrect information about you, you may require us to correct the incorrect personal information.

7.6. Right to limit

You have the right to require us to limit the use of your sensitive personal information to the services you requested. Sensitive information may include your social security number, financial account information, your precise geolocation data or genetic data.

Date of this privacy policy: 12.03.2024