Privacy policy

The purpose of this privacy policy is to inform you about how we process personal data. The protection of your privacy is of paramount importance to us, for which reason we ensure compliance with statutory provisions on data protection as a matter of course.

This privacy policy contains information for all our visitors in the EU, UK, Switzerland and United States of America. In case legal grounds have been stated by referencing the General Data Protection Regulation (GDPR), all information also corresponds to the UK GDPR respectively. All information given pertains to visitors from all locations unless stated otherwise.

1. Name and contact details of the responsible party

Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2
13347 Berlin Germany
Email: support@mika.health

2. Data protection officer

If you have any questions regarding our data protection measures, the processing of your data or about the protection of your rights as a data subject, you can reach us and our data protection officer as follows:

External data protection officer:

ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer Große
Bleichen 21, 20354 Hamburg, Germany

For all questions and concerns regarding your data, please contact support@mika.health

For all questions and concerns regarding your data, including contact to our Data Privacy Officer, please contact compliance@mika.health. Please state in your enquiry that your concern relates to the company Fosanis GmbH.

3. Security measures

To ensure the highest level of security for your personal information, we have implemented an Information Security Management Systems (ISMS) based on ISO 27001. Our Information Security Officer in conjunction with our Data Privacy Officer ensure that all information processing is done to the highest standards.

Our ISMS includes processes and counter measures to efficiently and quickly deal with possible data breaches, vulnerabilities and other factors that could have an impact on data security. All of our employees undergo regular information security and data privacy trainings. The effectiveness of our ISMS is audited on an annual basis by an independent body.

Our service providers are carefully reviewed to ensure a compliant handling of personal information. For our app we only utilize hosting providers for our app that have been certified based on ISO 27001, ISO 27017 (cloud information security) and ISO 27018 (data protection for cloud services). This includes HIPAA compliance where required.

4. Purposes of data processing

To render our services, we may store information on your device (e.g. as a cookie or in your browser’s local or session storage). When visiting our website, our cookie banner allows you to choose the services that are allowed to store data on your device. Some cookies may be mandatory to ensure the functionality of the respective service. You can get information which information is being stored on your device as well as the storage duration by visiting the cookie banner. You can also use the cookie banner to update your consent choices at any time.

4.1. Data processing when contacting us

We offer you a variety of ways of contacting us. Depending on which form of communication you choose, your data may be processed by means of different service providers:

  • Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland): email and document management
  • Hubspot (Hubspot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany): Customer Relationship Management tool for managing contacts of healthcare professional

We’re processing your data based on our legitimate interest (Art. 6(1)(f) GDPR) to allow for customer communication and to handle your inquiries to provide proper customer services as well as to improve our services. This extends to all personal data that you present to us within the context of the communication and may include, but is not limited to contact details (e.g. email address, telephone number, postal address), subject matters and other personal information such as health information, dates and time stamps of the communication.

Your inquiries will be deleted automatically after three years.

4.2. Data processing when Visiting our website and server logs

We use Host Europe GmbH, Hansestraße 111, 51149 Cologne, Germany to host our website. When visiting our website, our web server logs connection data such as your IP address, the requested content and time stamps based on our legitimate interest (Art. 6(1)(f) GDPR), to ensure proper performance of our server infrastructure, to identify problems and to prevent abuse of our systems. The log data is stored on the servers of our hosting provider for a duration of 14 days. Should we register an attack on our servers, relevant data may be handed over to the police in which case the data would be stored until the conclusion of the proceedings.

4.3. Cookiebot

We use Cookiebot of Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark based on our legitimate interest (Art. 6(1)(f) GDPR) to comply with EU regulations regarding the use of cookies on our website as well as to obtain relevant user permissions for using cookies on our website. This involves capturing the following data: user IP numbers in anonymised form (the last three digits are set to '0'), date and time when consent was granted, the user agent of a user's browser, the URL from which the consent was sent, an anonymous, random and encrypted key, users’ consent status, which serves as proof of consent. Additionally, Cybot may receive personal information (e.g. IP address, time stamps) when serving program scripts to you to allow the execution of Cookiebot. Further information about the provider can be found at: http://www.cookiebot.com . Your consent and all data related to it will be stored until you revoke it.

4.4. Google Services

We use Google Analytics and Google Adsense of Google Ireland Limited, Gordon House Barrow Street Dublin 4, Republic of Ireland (hereinafter referred to as ‘Google’). Google Analytics enables an analysis of the use of our website and uses cookies for this purpose. Data collected via Google Analytics is transmitted to a Google server, where it is stored and analysed.

The Google Adsense advertising function involves use of remarketing and performance reports broken down by demographic characteristics and interests. The purpose of these methods is to use information about user behaviour to tailor advertising measures more closely to the interests of the respective users. In the context of remarketing, personalised advertising measures may be placed on other websites based on a user's surfing behaviour on our website. In this regard, any such advertising material may contain products that a user previously viewed on our website. If you have given Google permission to link your web and app browsing history with your Google account and to use data captured from your Google account for the purpose of personalising ads, Google will use such data for cross-device marketing.

We collect data with Google services based on your voluntary consent (Art. 6(1)(a) GDPR. You can revoke your consent at any time via the cookie banner without affecting the lawfulness of any data processed before the withdrawal of your consent. You can also prevent Google from collecting data by managing your settings in the Google Ad Center or by installing the Google Analytics Opt-out browser add-on.

For the used Google services, both us and Google are joint Controllers. We have entered into a joint data controller agreement with Google regarding the processing of your data in accordance with Art. 26 GDPR.

Further information on terms of use and data protection can be found at http://policies.google.com .

Google may transfer data to the USA for the purpose of storage and further processing. Any such data transfer to the USA would be subject to the standard contractual clauses of the EU Commission as well as the requirements Google has to meet under the Data Privacy Framework.

5. Data privacy rights

5.1. Right to access of information

You may request information pursuant to Art. 15 GDPR on how your personal data is processed and to receive a copy of your personal data. Among other things, you can demand information regarding the purposes of data processing, the personal data categories that are processed, the recipients of such data (in case as such data is transferred), storage periods or the criteria for determining such storage periods.

5.2. Right to rectification

In case of inaccurate or incomplete personal data, you have the right to have this data rectified or completed.

5.3. Right to erasure of personal data

You have the right to inquire about the erasure of your personal data, if

  • the personal data is no longer necessary for the purposes it was collected for,
  • you withdraw consent and no other legal grounds for processing said data exist,
  • you object to the processing (see 5.6) and no overriding legitimate interests in processing the personal data exist,
  • your personal data has been unlawfully processed,
  • your personal data must be erased for compliance with EU or national law.

5.4. Right to restriction of processing

You may inquire about restricting the processing of your personal data under the following circumstances:

  • You contest the accuracy of your personal data and data processing needs to be restricted during the verification period,
  • The processing is unlawful, but you oppose the erasure of your personal data,
  • Personal data is no longer needed by us, but you require us to keep this data for the establishment, exercise or defence of legal claims,
  • You have objected to the processing (see 5.6). Your data’s processing would be restricted in the time we require to review your request and to verify that no legitimate grounds override your request.

5.5. Right to data portability

You have the right to receive a copy of your personal data that you provided to us in a structured, commonly used and machine-readable format.

5.6. Right to object

In cases where we’re processing your personal data based on a legitimate interest, you have the right to object to the processing on grounds relating to your particular situation.

You may also object against the processing of your personal data for direct marketing purposes.

5.7. Right to complaint

If you’re of the opinion that certain data processing is violating data privacy requirements, you may lodge a complaint with a relevant supervisory authority. The competent supervisory authority for Mika in the EU is:

Berliner Beauftragte für Datenschutz
Alt-Moabit 59-61
10555 Berlin

mailbox@datenschutz-berlin.de

6. CCPA rights

The CCPA provides for consumers from California with specific rights regarding their personal information. This section will inform you about your rights. Please see section 2 on how to get in contact with us.

6.1. Right to know

You may request information on what personal information we have collected, used, shared, or sold about you, and the purposes for such data processing for a period of the last 12 months preceding your request. In case you invoke your right to know, we will provide you with the following information free of charge:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which your personal information was collected from
  • The purposes for which the personal information is used
  • The categories of third parties with whom we shares the personal information
  • The categories of information that we sell or disclose to third parties. Please be aware that we do not sell your personal information.

6.2. Right to delete

You may request from us to delete your personal information. In case we receive such a request, we will require our service providers (see section 4.) to do the same. Please be aware that invoking this right may affect our provided services. Depending on which information your require us to delete, we may not be able to provide you with the desired services that would require this information.

6.3. Right to opt-out

You may request that we don’t sell or share your personal information (“opt-out”) for cross-context behavioral advertising, which is the targeting of advertising to you based on your personal information and obtained from your online activity across numerous websites. We do not sell your personal information. For information we share with Google and Meta (see sections 4.4 and 4.5), you can withdraw your consent at any time time in our cookie banner.

6.4. Right to non-discrimination

We will not discriminate against you for exercising your CCPA rights. This includes but is not limited to the following aspects:

  • We will not charge you a different rate or price for exerting your rights.
  • We will not deny you access to any of our services.
  • We will not provide you with a different level or quality of our services.

6.5. Right to correct

Should he have incorrect information about you, you may require us to correct the incorrect personal information.

6.6. Right to limit

You have the right to require us to limit the use of your sensitive personal information to the services you requested. Sensitive information may include your social security number, financial account information, your precise geolocation data or genetic data.

Date of this privacy policy: 19.03.2024