Simplified overview of the data processing of the apps from Kaia Health Software GmbH

Purpose What data? Processor
  • User account registration and creation
📨 Contact and medical history data AWS, IMEDIAPP SA (Batch.com), BroadSoft Germany GmbH
  • Using the App
🤸‍♂️ Exercise history, questionnaires, training settings AWS, IMEDIAPP SA (Batch.com), Google
  • Technical provision of the App
📟 Technical device information AWS, IMEDIAPP SA (Batch.com)
  • Billing for our services
🎟 activation code, pseudonymous payment nonce Noventi
  • Communication in connection with support requests
☎️ Support requests Zammad, mailbox.org, BroadSoft Germany GmbH
  • Prescription service when used
📨 prescription details, contact details Zammad, mailbox.org, Deutsche Post AG
  • Evidence of positive care effects
👤 User and application data -
  • Improvement and further development of the app (optional)
👤 User and application data -
  • Compliance with statutory obligations
👤 User and application data Bayoomed

This presentation provides a simplified overview of the data processing operations at Kaia Health. It is not legally binding. The legally binding information is available in the flow text of the privacy policy for our Apps.


Privacy Policy for our apps (EU)

As of: June 2024

This privacy policy explains how We, Kaia Health Software GmbH (hereinafter: "Kaia", "We", "Us", etc.) process your personal data (hereinafter: "Data") when you use the digital health apps (hereinafter: "Apps") provided by Us and the associated features. The protection of your Data in the context of the use of Our Apps is important to Us. We therefore collect and process your Data only in accordance with applicable data protection laws, in particular the General Data Protection Regulation (EU) 2016/679 (hereinafter: "GDPR").

Scope of this privacy policy / Intended use of the Apps

This privacy policy applies to the following Apps:

  1. Controller, contact data, and management

    The data protection controller within the meaning of Article 4 (7) GDPR is:

    kaia health software GmbH,
    Herzog-Wilhelm-Straße 26,
    80331 Munich, Germany
    E-Mail: compliance@kaiahealth.com

  2. Data protection officer

    You can contact Our Data Protection Officer as follows:

    PROLIANCE GmbH / www.datenschutzexperte.de
    Data Protection Officer
    Leopoldstr. 21
    80802 Munich, Germany
    E-Mail: datenschutzbeauftragter@datenschutzexperte.de

  3. Terms used

    All data protection terms have the same meaning as defined in the GDPR.

  4. General overview of Our data processing activities

    We collect and process Data from you which you provide to Us when using the App. This involves, in particular:

    For a detailed description on how We process your Data, please refer to the following clause 5. of this privacy policy.

  5. Detailed description of Our data processing in connection with the provision and use of the App

    In the following, We will describe how We process your Data in connection with the provision and use of the App, including (i) the categories of Data concerned, (ii) the purposes of data processing, (iii) the respective legal bases on which We process your Data, as well as (iv) the storage period for your Data:

    1. Data processing for the intended use of the App

      The Data provided by you in connection with the intended use of the App are processed by Us as follows:

      • User account registration and creation

        Using the App requires prior registration and the creation of a user account after downloading the App from the App store.

        In the following, We will describe how We process your Data in connection with registration and creation of a user account in the App:

        • Categories of data

          In connection with the registration and creation of a user account in the App, We collect the following Data from you (hereinafter: "User Data"):

          • First name,

          • Gender,

          • Email-Address,

          • Telephone number,

          • Password,

          • Activation code,

          • Health insurance und

          • Answers to medical history questions.

        • Purposes of data processing

          We process your User Data to:

          • Create a personal user account for you;

          • Determine whether the use of the App is medically indicated for you;

          • To check whether your Data is complete, including telephone or electronic contact for any queries,

          • If necessary, the processing of data for queries with you by telephone or email,

          • Provide you with the App and associated features; and

          • Bill you for Our services.

        • Legal basis of data processing

          The legal basis for processing your User Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).

        • Storage period

          We store your User Data for the duration of the contract period and, where statutory storage periods exist that go beyond this (e.g. in the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung) or for regulatory reasons), for the duration of the statutory storage period.

      • Use of the App and the associated features

        In the following, We will describe how We process your Data in connection with using the App and the associated features:

        • Categories of data

          In connection with using the App and the associated features, We collect the following Data from you (hereinafter: "Application Data"):

          • Profile and status data,

          • Therapy units completed,

          • Enrolled courses,

          • Medical questionnaires,

          • Therapy development metrics,

          • E-mail address,

          • Push tokens, and

          • Training weekdays.

        • Purposes of data processing

          We process your Application Data to provide the App and associated features, in particular:

          • Provision and reminder to do your therapy units,

          • Provision of information on your therapy units by e-mail or push notification as well as a PDF export for the user and the attending physician,

          • Visualization of the progress of your therapy,

          • Adaptation of your personal therapy units,

          • Reminder of health check appointments to ensure the App is used safely and as intended, and

          • Provision of information, e.g. on security-relevant updates and events.

        • Legal basis of data processing

          The legal basis for processing your Application Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).

        • Storage period

          We store your Application Data for as long as required for the provision and use of the App and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.

      • Collection of device data for the technical provision of the App

        In the following, We will describe how We process your Data when collecting device data for the technical provision of the App:

        • Categories of data

          In connection with using the App, Kaia's server automatically collects the following Data from you (hereinafter: "Technical Data"):

          • App and operating system version, and

          • Anonymized IP address (last octet(s) masked).

        • Purposes of data processing

          We process your Technical Data to:

          • Enable an uninterrupted and safe operation of the App, and

          • Obtain information about security-relevant events as well as to provide updates.

        • Legal basis of data processing

          The legal basis for processing your Technical Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).

        • Storage period

          We store your Technical Data for as long as required for the provision and use of the App and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.

      • Billing for Our services provided in connection with the App

        In the following, We will describe how We process your Data to bill Our services provided in connection with the App:

        • Categories of data

          In connection with the billing of Our services, We collect the following Data from you (hereinafter: "Billing Data"):

          • Entered activation code or

          • Pseudonymous payment nonce provided by our payment processor.

        • Purposes of data processing

          We process your billing data to bill you for our services in connection with the use of the app and forward this to the responsible health insurance company for billing purposes if the service is reimbursed by your health insurance company.

        • Legal basis of data processing

          The legal basis for the processing of your billing data is your consent to the processing of your data for the intended use of the app (Art. 6 Para. 1 lit. a) and Art. 9 Para. 2 lit. a) GDPR).

        • Storage period

          We store your billing data for as long as it is necessary to bill our services and, if there are statutory retention periods beyond this (e.g. in the Commercial Code, the Tax Code or for regulatory reasons), for the duration of the legally required retention period.

      • Communication in connection with support requests

        In the following, We will describe how We process your Data for communication in connection with support requests:

        • Categories of data

          When you contact Us because of a support request, We collect the Data you provide in connection with your support request (e.g. by phone, contact form or e-mail). Mandatory fields are marked as such, as in these cases We absolutely need the Data to process your support request. The respective input form indicates which Data are collected.

        • Purposes of data processing

          We process these Data for the purpose of communicating with you, e.g. to receive error messages and answer questions as part of your support request.

        • Legal basis of data processing

          The legal basis of processing your Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).

        • Storage period

          We store your Data for as long as required for processing your support request and, where statutory storage periods exist beyond this (e.g. in the German Commercial Code, the German Fiscal Code, or for regulatory reasons), for the duration of the statutory storage period.

    2. Data processing to provide evidence of positive health care effects within the context of a trial according to Sec. 139e para. 4 SGB V

      We use your Data to provide evidence of positive health care effects within the context of a trial according to Sec. 139e para. 4 SGB V.

      This means that We have to provide the German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte) with evidence in form of a comparative study showing that the App has positive health care effects and, for this purpose, We need to examine and evaluate the results of the therapies and record them in an outcome study.

      In the following, We will describe how We process your Data in connection with the demonstration of positive health care effects:

      • Categories of data

        In connection with providing evidence of positive health care effects, We collect your Data provided in the context of the intended use of the App, including User, Application and Technical Data (cf. clause 5. a. above).

      • Purposes of data processing

        We process your Data for the purpose of providing evidence of positive health care effects by analyzing and evaluating the development and progress of the respective therapies. We then anonymize the results on the basis of aggregated data, summarize them in a report and send it to the competent regulatory and supervisory authorities. As your Data will only be passed on in anonymous form, no information identifying you is communicated.

      • Legal basis of data processing

        The legal basis for processing your Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).

        Please note that this data processing cannot be separated from the data processing for the intended use of the App (cf. clause 5. a. above), as the corresponding testing and verification is necessary for the provision of the App.

      • Storage period

        We store your Data for as long as required for providing evidence of positive health care effects and, where statutory storage periods exist beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.

    3. Data processing for the improvement and further development of the App

      If you have given Us your (optional) consent to do so, We process your Data to improve and further develop the App, e.g. for the continuous safeguarding and optimization of the technical functionality and user-friendliness of the App as well as the associated features.

      In the following, We will describe how We process your Data to improve and further develop the App:

      • Categories of data

        In connection with the improvement and further development of the App, We process the Data provided by you in the context of the intended use of the App, including User, Application and Technical Data (cf. clause 5. a. above).

        In addition, We process the following Data of you:

        • Information on the hardware used,

        • Information on when which features and input masks were called up and how they were used, and

        • Information about the prescriber optional query in the registration process (first and last name, zip code, city).

      • Purposes of data processing

        We process these Data for the purpose of improving and further developing the App, including, without limitation:

        • To analyze and evaluate your user behavior in the App (e.g. to determine the user acceptance of certain new features etc.),

        • To analyze and evaluate developments and progress of the respective therapies,

        • To support the activation of prescriptions that have already been prescribed and to improve user-friendliness, and

        • To analyze and evaluate your Data in connection with internal studies to optimize therapy approaches.

        When processing your Data to improve and further develop the App, We ensure that, wherever possible, your Data are anonymized or pseudonymized at the earliest possible stage.

      • Legal basis of data processing

        The legal basis for processing your Data is your consent to the processing of your Data for the improvement and further development of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).

      • Storage period

        We store your Data for as long as required for the improvement and further development of the App and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.

    4. Data processing for compliance with statutory obligations

      In the following, We will describe how We process your Data in order to comply with statutory obligations:

      • Categories of data

        In order to comply with applicable statutory obligations, We process the Data provided by you in the context of the intended use of the App, including Technical and Billing Data (cf. clause 5. a. above).

      • Purposes of data processing

        We process these Data for the purpose of compliance with applicable statutory obligations, in particular, Our obligations under medical device law, e.g. to carry out conformity assessment procedures and to post-market monitor the App.

        In order to comply with Our statutory obligations, We may also share your Data with competent regulatory and supervisory authorities; however, We will share your Data only in pseudonymous form, so no information directly identifying you is shared.

      • Legal basis of data processing

        The legal basis for processing your Data for compliance with Our statutory obligations is, as applicable, Art. 6 para. 1 lit. c) and e) GDPR in conjunction with the respective special legal provision of Art. 9 para. 2 lit. i) and j) GDPR.

      • Storage period

        We store your Data for as long as required for the compliance with Our statutory obligations and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.

    5. Data processing for other permissible data processing operations

      To the extent permitted by law, We reserve the right to process your Data for other processing purposes. In this case and to the extent required by law, We will inform you again about this further data processing and obtain your consent.

      Your Data may e.g. also be processed by Us in other ways and may also be disclosed to third parties if We are legally obligated to do so - e.g. by court order (Art. 6 para. 1 lit. c) GDPR) or if this is required to support criminal or legal inquiries or other legal investigations or proceedings in Germany or in other countries or to safeguard legitimate interests (Art. 6 para. 1 lit. f) GDPR, as the case may be, in conjunction with the respective special legal provision of Art. 9 para. 2 GDPR), e.g. for the provision of services or for the enforcement and defense of legal claims.

  6. Wording, granting and revoking of your declaration of consent

    At the end of this document you will find the wording of your declaration of consent to the processing of your Data (i) for the intended use of the App (required consent) as well as (ii) for the improvement and further development of the App (optional consent).

    Please note that the use the App requires your prior consent to the processing of your Data for the intended use of the App (for more information on data processing, cf. clause 5. a. above). This also includes the data processing to provide evidence of positive health care effects in the context of a trial according to Sec. 139e para. 4 SGB V (for further information on data processing, cf. clause 5. b. above).

    You have the option to withdraw your consent given during registration or in the settings menu in the App to the processing of your Data (i) for the intended use of the App and also, if given by you, (ii) for the improvement and further development of the App at any time in the settings menu in the App for the future, by selecting the respective item in the settings menu.

    If you do not give your consent to the processing of your Data for the intended use of the App or if you subsequently withdraw it, Kaia will of course not (no longer) be able to provide you with the functions of the App. In this case, We will delete your account.

  7. Privacy by default

    In accordance with the data protection law principle of "privacy by default", the App allows for the individual adaptation of specific features in some cases. All features offered within this App are generally part of the intended use and are required for an optimal use of the App in its entirety. However, Kaia understands that as different people may have different preferences regarding communication, sustainability of control, etc., some features are optional and can be enabled or disabled in the App's settings.

    This includes, for example, using push notifications to send you alerts. When you use the App for the first time, you will be asked if you want to enable these functions in your settings menu. You may also enable these functions or disable them again at a later time. The same applies, for example, to e-mails sent by Kaia to remind you to complete your therapy units.

  8. Data recipients

    1. Processors pursuant to Art. 28 GDPR

      We may transfer your Data collected by the App to the following processors in the meaning of Art. 28 GDPR who assist Us in the operation of the App and the provision of Our services:

      Name Function Processed data
      Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg

      Cloud Platform as a Service (PaaS) – provision of server and database resources for the operation of the App.

      Any and all Data are transmitted, stored and processed exclusively in encrypted form. No Data are transferred to the US. If US authorities request the release of Data, no Data will be made available or, in any case, legal action will be taken and fully exhausted.

      Encrypted: User data, contact data, health data, billing data, data for the improvement and further development of the App.
      Zammad GmbH, Marienstraße 18, 10117 Berlin, Germany Indexing and answering of support requests Requests made to the support team. May include message text, subject, e-mail address and name
      mailbox.org / Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany E-mail inbox for support requests Requests made to the support team. May include message text, subject, e-mail address and name
      NOVENTI HealthCare GmbH, Berg-am-Laim-Straße 105, 81673 Munich, Germany Payment processing Processing of DiGA payment via statutory health insurers using the DiGA activation code.
      IMEDIAPP SA (Batch.com), 43 rue Beaubourg, 75003 Paris, France Push and e-mail notifications Treatment-related notifications via push and e-mail. May include push identifiers and e-mail addresses
      BroadSoft Germany GmbH c/o Cisco Systems GmbH, Lothringer Straße 56, D-50677 Cologne, Germany

      Contact by telephone

      Any and all Data are transmitted, stored and processed exclusively in encrypted form. No Data are transferred to the US. If US authorities request the release of Data, no Data will be made available or, in any case, legal action will be taken and fully exhausted.

      Telephone number
      Deutsche Post AG, Charles-de-Gaulle-Str. 20, 53113 Bonn, Germany Dispatch of prescriptions submitted through Kaia Health Contact details, health data
      Bayoomed GmbH, Europaplatz 5, 64293 Darmstadt, Germany Integration with Telematics Infrastructure Contact details, general personal data, patient data
      Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Cloud services for messaging and notifications Push token

      We have concluded contracts with all of Our processors pursuant to Art. 28 GDPR, stipulating in particular that the data processing will be carried out exclusively according to Kaia's instructions and that all employees who come in contact with Kaia's data have been obligated to comply with data protection regulations.

    2. Other recipients

      Moreover, We may disclose your Data to the following categories of recipients for the aforementioned processing purposes:

      • Health insurance fund, e.g. for billing Our services,
      • Regulatory and supervisory authorities, e.g. to demonstrate positive health care effects and to comply with statutory obligations, e.g. conducting conformity assessment procedures and post-marketing monitoring, and
      • Accountants, legal advisors, tax advisors, etc. supporting Us in the context of Our management.

      Each of the above recipients processes your Data independently as a controller in the meaning of Art. 4 para. 7 GDPR.

    3. Third-party data processing

      Please note that in the context of providing the App, Kaia also collaborates with other partners who are not processors and who may collect Data directly from customers, without any data transfer by Kaia.

      This includes e.g. the payment service provider PayPal (Europe) S.a.r.l. et Cie, S.C.A. with registered office in the EU (hereinafter: "PayPal") as well as PayPal's respective processors. If you wish to make any payments via PayPal, you will be automatically redirected to the website of PayPal or its affiliated companies for payment purposes. Such third-party providers are not "recipients" of Kaia in the meaning of Art 13 para. 1 GDPR. They collect the customer's Data independently and based on your decision to make the payment via PayPal. We would furthermore like to note that your contractual relationship with PayPal is independent of your contractual relationship with Kaia.

  9. International data transfer

    The processing of your Data may be carried out by Kaia in Germany, in a Member State of the EU or the EEA or, if an adequacy decision pursuant to Art. 45 GDPR exists, in a third country outside the EU or the EEA.

  10. Storage and erasure concept

    We generally only store your Data for as long as is necessary to achieve the purposes for which the Data was collected or until you withdraw your consent (see clause 11.). If there are additional statutory storage periods (e.g. in the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung) or for regulatory reasons), your Data will be stored for the duration of the statutory storage period.

    You may end your use of Kaia at any time and delete all your Data. To do so, select the menu item "Manage your data" in the App's settings. There, you may also selectively delete all Data that We have collected for product improvement or improvement of the Motion Coach, if you have previously given your consent for this.

    We store health-related Data physically and logically separate from Data required for billing purposes. A deletion also deletes any of your Data that have been processed by processors.

  11. Your data protection rights

    According to the GDPR, you are entitled to the following data protection rights pursuant to statutory requirements:

    To exercise your right of access and your right to data portability, select the menu item "Manage your data" in the App settings. There you can export your Data in both a human-readable and a machine-readable format.

    To rectify your Data, you can find some options directly in the App's settings. If you would like to rectify additional Data, you may always contact Our customer support at www.kaiahealth.de/kontakt/, who will rectify the Data for you.

    To obtain a restriction of processing or to object to the processing of your Data, you will also find options in the App's settings under the menu item "Manage your data". If you would like to further restrict the processing of your Data, please contact Our customer support at www.kaiahealth.de/kontakt/.

    In addition, you have the right to lodge a complaint with the relevant supervisory authority if you believe your Data are not being processed lawfully. The competent supervisory authority for Kaia is Bayerisches Landesamt für Datenschutzaufsicht; postal address: Postfach 606, 91511 Ansbach; telephone: +49 (0) 981 53 1300; e-mail: poststelle@lda.bayern.de.

  12. Contact details

    For all questions regarding the protection of your Data, you may also contact Our Data Protection Officer at datenschutzbeauftragter@datenschutzexperte.de, who is also available to receive your requests to exercise your data protection rights as well as suggestions and complaints.

  13. Changes to the privacy policy

    We reserve the right to update this privacy policy from time to time, in particular in order to reflect changes to Our services, e.g. technical and organizational adjustments to the App, changes in legislation or case law, or your feedback. We therefore recommend that you visit this website regularly to find out how your Data is protected and processed. We will notify you in advance by e-mail and/or in the App of any material changes to this privacy policy.



Wording of the declaration of consent

I consent to the processing of my personal data (including health data) for the following purposes:

For further information on how we process your personal information and on your data protection rights, please refer to our privacy policy. You may withdraw your consent(s) at any time in the settings for the future.