Privacy policy - Mika app

With this privacy policy declaration we would like to inform you about how we process personal data. The protection of your privacy is of the utmost importance to us, which is why compliance with the legal provisions on data protection is a matter of course for us.

Name and contact details of the person responsible

Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2
13347 Berlin

Represented by:

Dr. Gandolf Finke
Dr. Jan Simon Raue

Contact:

Email: support@mika.health

Data Protection Officer

If you have any questions about our data protection measures, the processing of your data or the protection of your data subject rights, you can reach us, and our data protection officer as follows:

External data protection officer:

ePrivacy GmbH

represented by Prof. Dr. Christoph Bauer

Große Bleichen 21, 20354 Hamburg

For all questions and concerns regarding your data, please contact support@mika.health

If you want to communicate directly with our data protection officer (e.g. because you have a particularly sensitive matter), please contact him by letter post, as communication by e-mail can always have security gaps. When making your request, please indicate that your request relates to Fosanis GmbH.

Personal Data

Personal data is any information about a specific or identifiable person. This includes the following categories of personal data that we process:

  • Your contact details (e.g. first and last name, e-mail address, phone number)
  • Online identifiers (such as user IDs, IP addresses)
  • Usage data, usage time and (usage) usage profiles
  • Health data (such as information on symptoms, condition, stress areas, type of cancer, type of therapy),
  • Your diary entries
  • Technical data related to crash reports (app version, device information, operating system, time and details about the circumstances of the problem, error codes from our server, a user identifier that allows us to determine how many users are affected by a specific problem),
  • Your correspondence with us

Legal basis

We rely on the following legal bases to process your data:

  • Your consent, if you have given us such (art. 6(1)(a) UK GDPR),
  • the initiation or execution of a contract with you (art. 6(1)(b) UK GDPR),
  • the fulfillment of legal obligations (art. 6 (1)(c) UK GDPR),
  • the implementation of our legitimate interests (art. 6(1)(f) UK GDPR)

Purposes

We process your data for the following purposes:

  • to provide our service in accordance with the User Agreement
  • to correspond with you
  • to process contracts with you
  • for quality assurance and statistics
  • to improve our service
  • for scientific evaluation of our service

Legitimate Interests

The processing of your data aims to protect the following legitimate interests:

  • the protection of our systems against misuse

Requirement or Obligation to Provide Data

Unless expressly stated, the provision of your data is not required or mandatory.

Storage duration

We store your data

  • if you have consented to the processing, at most until you revoke your consent;
  • if we need the data to fulfill a contract, at most for as long as the contractual relationship with you exists;
  • if we use the data on the basis of a legitimate interest, at most as long as your interest in erasure or anonymization does not outweigh our interests;
  • if there are statutory retention requirements, until the end of the retention periods.

If you want to revoke your consent, you can do this in the settings under "Delete user account".

Automated processing in individual cases including profiling.

We exclusively refrain from making decisions based on automated processing including profiling - which produce legal effects vis-à-vis you or which significantly affect you in a similar way.

Data recipients

Disclosure of Personal Information to Service Providers

We work with service providers who process certain data on our behalf. This is done exclusively in accordance with the applicable data protection law. In particular, we have concluded data processing agreements with our service providers - to the extent required by law - which meet the requirements of art. UK 28 GDPR and issue the service providers with instructions on how to handle the data. Through careful selection and regular checks, we ensure that our service providers take all organizational and technical measures necessary to protect your data.

Our data recipients are:

Hetzner Online GmbH

This app is hosted by an external service provider (hoster). The personal data collected by the app is stored on the hoster's servers.

These are:

  • user profiles,
  • information on the health of users,
  • usage data,
  • crash reports

Our hoster will only process your data to the extent that this is necessary to fulfill its performance obligations and will follow our instructions in relation to this data.

We use the following hoster (server location):

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen

Conclusion of a data processing agreement: In order to ensure data protection-compliant processing, we have concluded a data processing agreement with our hoster.

Thryve 

We use the Thryve service from mHealth Pioneers GmbH (Körtestraße 10, 10967 Berlin, Germany) to read, store and process data from wearables. Information about vital data, activity data and online identifiers is collected. mHealth Pioneers GmbH has no access to other data stored by Mika. To use the service, your devices must be authorized in the app for data transfer. If you do not want this, you can end the data processing by disconnecting the connection in the app under "My Devices".

Typeform

We use services from Typeform SL, a Spanish company located in C/Bac de Roda, 163 (Local), 08018 - Barcelona for user surveys. The survey data is matched internally with the user IDs for further analysis. Providing the email address is optional for the user. If the user provides it, a follow-up email might be sent.

To withdraw your consent, please send an email to support@mikahealth.co.uk. For more information, please refer to Typeform SL's privacy policy at admin.typeform.com

Ministry of Code GmbH (MoC)

We use the services of the Ministry of Code UG (Rödingsmarkt 14, 20459 Hamburg) for the installation, maintenance and operation of our IT infrastructure, software systems and software. They manage the application, storage and monitoring software required to operate Mika. MoC can technically access all personal data of users, but may not and will not do so. We have entered into a DPA with the Ministry of Code.

Amazon Web Services (AWS)

We use AWS Services (38 Avenue John F. Kennedy, L-1855, Luxembourg) to allow users to get better suggestions from our system. Your information will be pseudonymised and processed on the AWS server in Frankfurt, Germany. The data on AWS is encrypted and only we have access to the encryption key. The following data is stored encrypted on AWS services:

  • User ID (without email & name),
  • user profile,
  • Data about items tagged with User ID.

An data processing agreement with AWS is in place. You can find out more about data protection at AWS here: aws.amazon.com

One.com

In order to be able to send you emails as a user, we use the provider One.com. One.com is located at Carlsgatan 3, 211 20 Malmo, Sweden.

You can find out more about data protection at One.com here: www.one.com/de/

We have concluded an data processing agreement with One.com to ensure that data protection requirements are met.

Sendinblue

For sending emails to users, we use the provider SendInBlue located in 7 rue de Madrid, 75008 Paris, France. We would use SendInBlue for the following transactional emails:

  • Confirmation of new user's email address
  • Asking for Double OptIn email consent
  • Confirmation of OptOut for email consent
  • Request of user password reset
  • Confirmation of user password reset
  • Confirmation of user password change
  • Verification of updated user-email-address

as well as for customer relationship management purposes and email marketing (if the appropriate email consent is given). You can find out more about data protection in SendInBlue's privacy policy: de.sendinblue.com

Adjust

In order to manage our marketing campaign, we make use of the tool Adjust located in Saarbrücker Str. 37A, 10405 Berlin, Germany. Users are directed to installing Mika from the Appstores through a QR link. No user related info is obtained.

You can find out more about data protection at Adjust GmbH: www.adjust.com

Optional according to user settings: Automatic collection of health-related data

We enable you to connect and import your activity and health data from different sources (such as mobile phones, smart watches, fitness trackers and other digital health services). By storing the authorization information for your account with another provider, you explicitly authorize us to transfer your data from this provider to your account with us (the legal basis for this right is art. 20 UK GDPR).

The collection of this information is voluntary and not necessary for the use of Mika. The basis for the processing of your data is your consent, art. 6(1)(a) and 9(2)(a) UK GDPR. You can revoke this consent at any time. Further information on your data protection rights can be found under paragraph 4 of the rights of data subjects.

For this purpose, we integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Köörtestraße 10, 10967 Berlin. mHealth Pioneers GmbH has no access to other data stored by Mika.

Scope of the automatically collected data

If your authorization information has been stored, the following data relating to your health, for example, can be automatically collected and stored when using Mika with your consent: Activities like steps, sleep duration and sleep phases.

Personal data is only stored in encrypted form.

Transfer to third countries

We transfer personal data to countries outside of the United Kingdom. This transfer takes place on the basis of contractual regulations provided for by law, which are intended to ensure adequate protection of your data and which you can review on request.

Your rights

Your rights as a data subject are as follows:

  • To request information about how your data is processed and to receive a copy of your personal data. Among other things, you can demand information regarding the purposes of data processing, the personal data categories that are processed, the recipients of such data (in case as such data is transferred), storage periods or the criteria for determining such storage periods.
  • To receive personal data relating to you in a structured, commonly used and machine-readable format or to transfer it to another controller or person responsible.
  • To rectify your data. If your personal data is incomplete, you are entitled to complete it under consideration of the purposes pursued by such data processing.
  • To have your data deleted or blocked.
  • To restrict the extent to which your data is processed.
  • To object to the processing of your data.
  • To revoke your consent to your data being processed with future effect.
  • To lodge a complaint with the relevant supervisory authority regarding unlawful data processing.

Please note that uninstalling the app will not delete your data. To delete your data, please delete your user account as described below.

If you would like to revoke your consent to data processing by Mika and your data stored by Mika should be deleted, you can revoke your consent to data processing in the Mika app via Settings > Delete user account - without affecting the legality of the data processing that took place before the revocation and thus block your account.

Before the blocking (and only before the blocking), we can transfer your data to you if you write to us at support@mikahealth.co.uk with this wish. Your data will then be archived in accordance with the statutory storage obligation from the time of blocking, will no longer be processed after archiving and can no longer be viewed. After the deadline, the data will be deleted.

The blocking cannot be undone.

Your data is no longer available to you from the moment it is deleted. Mika can then no longer perform the services described in our terms and conditions, can no longer establish a connection to your account for you and can no longer understand whether you are or were a Mika user. Any remaining period of use that may have already been paid for expires without the possibility of offsetting or reimbursement.

If the deletion contradicts other statutory, contractual, tax or commercial retention requirements or other statutory reasons, your account can only be permanently blocked instead of being deleted.

Status of the data protection declaration

If our processes change, we adjust the information.

Status of this data protection declaration: 05.04.2023