Privacy Notice
This privacy notice (the "Privacy Notice") informs you about how [Clinic], ("we" or "us") treats your personal data ("Data") according to the [insert reference to local data protection regulation] ("[XXX]") and the EU General Data Protection Regulation ("GDPR"), as applicable, when using our services (the "Services") provided on or through our application (the "Application") and/or our website (the "Website"), or in any of the other situations set out in Section 3. Within the scope of the [XXX], references in this Privacy Notice to the GDPR shall be understood as references to the corresponding provisions in the [XXX].
1. Controller[, EU Representative] and Contact Details
Controller is [Clinic], [address], [country] (E-Mail: [e-mail address]).
[Our EU representative is [name, address, country] (E-Mail: [e-mail address]).]
2. Obligation to Provide Data
You are in general under no obligation to provide us with any Data. However, if you do not provide the required information regarding certain use cases set out in Section 3 (in particular Registration Data or Health Data, both as defined in Section 3.1), we will not be able to process your request, provide the related services or get in contact with you.
3. Processed Data, Purpose, Legal Basis and Storage Period
We may process various categories of Data, depending on the circumstances as set out hereinafter. We may process your Data for security and access control purposes (GDPR 6.1.1.f) or in order to comply with legal obligations, directives and recommendations from authorities (GDPR 6.1.1.c) and internal regulations, including such purposes as compliance, risk management, corporate governance and business organization (GDPR 6.1.1.f).
To the extent required under the GDPR, our processing is generally based on (a) the need for performance of our contract with you, based on our Terms of Service, or for processing your request for a contract (GDPR 6.1.1.b); (b) the need for compliance with legal obligations to which we are subject (GDPR 6.1.1.c); (c) legitimate interests in fulfilling the purposes mentioned below (GDPR 6.1.1.f) and/or as otherwise specified in the following Sections hereinafter. Where we process Health Data (as defined in Section 3.1), we further do so based on your explicit consent (GDPR 9.2.a).
Except in case of contrary legal or contractual obligations, we will erase or anonymize your Data once the storage or processing period has expired. We process and retain Data for as long as (a) our processing purposes, the legal retention periods and our legitimate interests regarding documentation require it, (b) storage is a technical requirement, or (c) it may be necessary for the assessment or exercise of or for the defense against legal claims. Regarding specific use/data categories, we will in general retain your Data as described in the Sections below.
4. Service Data (including Health Data)
When using our Services, we may collect Service related Data, including Registration Data, Usage Data and Health Data as defined hereinafter (altogether "Service Data").
Categories of Data: When registering for our Services, you will be required to open an account or create a login, and we may require such information as your first name, last name, username, password, e-mail, phone number, address, contact details, payment details, etc. ("Registration Data"). Furthermore, when using our Services, we may analyze your use of our Services in order to get to know you better and tailor our Services to you, by collecting data about your behavior and preferences ("Usage Data"). In addition, to be able to provide our Services to you, we may process health data related to you as identifiable person ("Lifestyle Data") regarding:
your general health (date of birth, gender, height, weight, BMI (body mass index), body fat percentage, muscle mass percentage);
your sleep (hours slept, REM sleep duration, deep sleep duration);
your activity (steps, calories burnt, body temperature, average heart rate, resting heart rate, HRV (heart rate variability));
your respiration (respiration rate, pulse OX (oxygen saturation), vo2 max (maximum rate of oxygen consumption),
your menstrual cycle; and
your blood parameters (blood pressure, average glucose)
Purpose and Legal Basis: Service Data will be used to provide our Services through the App or Website, as further set out in the Terms of Service (GDPR 6.1.1.b) and, regarding Health Data, further based on your consent (GDPR 6.1.1.a/9.2.a). Furthermore, we may aggregate and anonymize any Service Data or general Data (thus becoming "Anonymous Data") and use (and let our service providers use) such Anonymous Data to analyze patterns and Service usage to improve our Services, App or Website, to analyze and understand demographic trends, health metrics, correlations, behavior patterns and preferences, and help us and our service providers to enrich the content and quality of our Services. Anonymous Data will not be linked to you or any of your personal data.
Storage Period and Erasure: Service Data that is personal data will in general be stored as long as you are accessing/using (or have the right to access/use) our Services, and such Data will be deleted after termination of your contract and/or deletion of your account, if and to the extent (a) we are not legally obliged to retain such Data (e.g. for accounting or document retention purposes or based on statutory requirements) and (b) we do not have an overriding legitimate interest to retain such data for documentation, quality assurance or similar business purposes or for the assessment or exercise of or for the defense against legal claims. Anonymous Data will not be subject to any storage limitation or erasure requirements.
5. Technical Data
When using our Services, we may collect such data as required to operate, provide and secure the App, Website or other technical means related thereto and to the Services provided thereon ("Technical Data").
Categories of Data: When accessing our App/Website (and thereby the Services), the following information about your device may be collected automatically: server identificator, IP address, operating system, type of device, browser name and version, date and time of access, address of the website from which you were redirected to our Website (if applicable).
Purpose and Legal Basis: The processing regarding App/Website use is based on our legitimate interest to operate and secure our App/Website (and any technical means related thereto) and our Services, in particular for security reasons to ensure the stability and integrity of our systems (GDPR 6.1.1.f). In addition, we may perform basic analysis based on our legitimate interest (GDPR 6.1.1.f) to optimize the App/Website regarding usability and to gain insights about the use of our App/Website and Services. Technical Data will not be merged with other personal data or disclosed to third parties.
Storage Period and Erasure: Technical Data will be stored as long as required to enable the requested access and secure the stability and integrity of our systems and regarding data related to analysis purposes for as long as required to perform the analysis and will thereafter be deleted or anonymized.
6. Website Cookies
Cookies are small files that are managed by your browser and are directly stored on your device whenever you visit our Website. You can disable the use of cookies in the preferences of your browser, but this might have as a consequence that not all functions of our Website or Services may be available anymore or function properly.
Categories of Data: Technical Data.
Purpose and Legal Basis: We may use cookies on our Website to ensure a user-friendly experience (e.g. session cookies), as they allow us to recognize your browser on your next visit in order to provide you a user-friendly experience based on our legitimate interest (GDPR 6.1.1.f).
Storage Period and Erasure: Cookies will be stored on your device for the time period required to achieve the related purpose and will thereafter be deleted by your browser.
7. Communication
We may be in contact with you by use of different channels, in particular through the communication functions of our App or e.g. if you fill out forms on our Website, send us e-mails, or by using other electronic (or hardcopy) communication means, whereby Data may be exchanged ("Communication Data").
Categories of Data: If you fill out our contact forms, send us an e-mail or another form of electronic message (or hardcopy message, e.g. a letter), we may collect such information as your name, e-mail address (or other form of communication identifier, e.g. messenger nickname), phone number, subject matter, corresponding message content, related metadata and any other information you choose to disclose in your communication to us. If you communicate with us via the communication channels offered in the App, all such communication and any information you choose to disclose in your communication to us will be connected to you and your account.
Purpose and Legal Basis: We use Communication Data to provide you our communication based Services, liaise with you regarding the Services, and process your inquiries and any possible further questions you might have in relation to our Services (GDPR 6.1.1.b) and any other related questions and matters based on the content of your communication with us (GDPR 6.1.1.a). We may also keep this data to document our communication with you, for training purposes, for quality assurance and for follow-up inquiries (GDPR 6.1.1.f).
Storage Period and Erasure: Communication Data collected as part of the Services will be stored as long as you are accessing/using (or have the right to access/use) our Services, and such Data will be deleted after termination of your contract and/or deletion of your account, if and to the extent (a) we are not legally obliged to retain such Data (e.g. for accounting or document retention purposes) and (b) we do not have an overriding legitimate interest to retain such data for documentation, quality assurance or similar business purposes or for the assessment or exercise of or for the defense against legal claims.
8. Profiling
We may use your Data to automatically evaluate personal aspects relating to you (so-called "Profiling"), but will not use it for automated decision making.
Categories of Data: Depending on the specific circumstances, the Data categories listed in this Section 3 may be used for Profiling.
Purpose and Legal Basis: Profiling may be performed for the purposes set out in this Section 3, in particular in order to provide bespoke Services (e.g. by providing you with personalized assessments and recommendations), to determine preferences, to detect misuse and security risks, to perform statistical analysis or for operational planning (GDPR 6.1.1.f and, where Health Data is concerned, GDPR 6.1.1.a/9.2.a). Profiling will only be used to gain a better understanding of certain aspects and will not lead to automated individual decision making (GDPR 22.1).
Storage Period and Erasure: Data resulting from Profiling will be stored for the time period required to achieve the related purpose and be deleted or anonymized thereafter, if and to the extent (a) we are not legally obliged to retain such Data (e.g. for accounting or document retention purposes) and (b) we do not have an overriding legitimate interest to retain such data for documentation, quality assurance or similar business purposes or for the assessment or exercise of or for the defense against legal claims.
9. Disclosure and Transfer of Data
We may disclose your Data to recipients as set out in Section 4.1, which may include cross-border data transfers as further defined in Section 4.2.
Categories of Recipients
We may make your Data available to the following recipients in compliance with the applicable legal requirements:
our group or associated companies;
health related service providers such as specific coaches and consultants (e.g. wellness coaches you interact with through the Services);
external service providers such as IT and Service related technical services providers (e.g. for support purposes);
authorities (in [country] and abroad, if we are legally obliged or entitled to such disclosures or if it appears necessary to protect our interests).
Cross-Border Transfer of Data
We may transfer your Data to countries within the EU/EEA or to the UK or Switzerland, and to the following countries outside of Switzerland or the EU/EEA/UK, provided that such countries (a) provide for an adequate level of data protection according to the assessment of the competent data protection or governmental authority, or (b) we ensure an adequate level of data protection based on appropriate safeguards such as the EU Standard Contractual Clauses ("EU-SCC"), adapted to Swiss law to the extent required ("CH-SCC"): […]. For a copy of the EU-SCC / CH-SCC, please contact us as indicated in Section 1.
10. Right to Object
Regarding any processing of your Data based on our legitimate interest (GDPR 6.1.1.f), you may have the right to object to such processing by explaining your particular reasons and specific circumstances on which your objection is based.
Regarding cookies through which certain Data may be collected, you can block the setting of such cookies at any time by changing the settings in your browser accordingly. Please note that a deactivation of cookies may result in a limited user experience and you may not be able to use every function of our Website or Services or to access the Services in an appropriate manner altogether.
11. Your Rights as Affected Data Subject
You have the right to request information about your Data we process and further rights regarding such data processing. In particular, you have - or may have, depending on the circumstances - the right to:
Information, i.e. to ask us whether we are processing Data about you, and if so, to provide you with further information related thereto.
Correction, i.e. to ask us to correct your Data if it is incorrect or incomplete.
Deletion, i.e. to delete your Data (to the extent we are not under a legal obligation or have an overriding legitimate interest to retain such Data).
Restrict Processing, i.e. to ask us to temporarily restrict our processing of your Data.
Data Portability, i.e. to ask us to provide you in electronic form (to the extent technically feasible) the Data you have provided to us.
Withdraw Your Consent, i.e. to withdraw your consent if and to the extent you have previously given your consent to any specific purpose of processing of your Data (e.g. regarding processing of Health Data, GDPR 9.2.a). This will not affect the lawfulness of any processing carried out before you withdraw your consent (or any processing based on any legal basis other than your consent) and it may mean that we will no longer be able to provide our Services to you.
In case you wish to exercise any of these rights, please contact us as specified in Section 1 or, if you wish to withdraw your consent based on GDPR 9.2.a, by deleting your account. Before responding to your request, we may ask for proof of identity. This helps us to ensure that your Data is not disclosed to any person who has no right to receive it.
12. Data Security
We have put appropriate technical and organizational security policies and procedures in place to protect your Data from loss, misuse, alteration or destruction. We limit access to personal data in general. Those individuals who have access to the data are required to maintain the confidentiality of such information.
13. Complaints / Regulatory Authority
If you believe that our processing of your Data contradicts the applicable data protection laws, you have the possibility to lodge a complaint with the appropriate data protection authority.
The data protection authority for [country] is [data protection authority information]. Based on your residence, you may have the possibility to lodge a complaint with the appropriate data protection authority of your place of residence.
14. Changes to this Privacy Notice
This Privacy Notice does not form part of any contract with you and we may amend it at any time. In such case, the amended Privacy Notice will be brought to your attention by appropriate means.
Last update: [ ]