Data Privacy App
Privacy Policy for users of the Mon Coach santé app
With this privacy policy, we inform you as a User of our Mon Coach santé Angel App (hereinafter referred to as the “Mon Coach santé Angel App”) about our handling of your personal data and about your rights under the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The data controller responsible for data processing is eTherapists GmbH (hereinafter referred to as “we” or “us”).
1. General information
1.1 Contact
If you have any questions or suggestions about this information, or if you would like to contact us about exercising your rights, please send your request to
eTherapists GmbH
Invalidenstr. 117, 10115 Berlin, Germany
E-mail: dataprivacy.support@moncoachsanteangel.fr
1.2 Legal basis
The term “personal data” under data protection law refers to all information that relates to an identified or identifiable individual. We process personal data in compliance with the relevant data protection regulations, in particular, the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Data processing by us only takes place on the basis of legal permission. We process personal data only with your consent (Section 25 [1] TTDSG or Art. 6 [1] lit. a GDPR), for the performance of a contract to which you are a party or, at your request, for the performance of pre-contractual measures (Art. 6 [1] lit. b GDPR), for the performance of a legal obligation (Art. 6 [1] lit. c GDPR) or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms require otherwise (Art. 6 [1] lit. f GDPR).
1.3 Duration of storage
Unless otherwise stated in the following notes, we only store the data for as long as is necessary to achieve the purpose of the processing or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law provisions. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting records for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof, as well as with complaints and the assertion of claims, for the duration of the statutory limitation periods. We will delete data that we process on the basis of your consent if you object to the processing for this purpose.
1.4 Categories of recipients of the data
We use processors as part of the processing of your data. Processing operations carried out by such processors include, for example, hosting, sending e-mails, maintenance and support of IT systems, customer and order management, order processing, accounting and billing, marketing measures or file and data carrier destruction. A processor is a natural person or legal entity, public authority, agency or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out the data processing exclusively for us as the data controller and are contractually obliged to ensure appropriate technical and organisational measures for data protection. In addition, we may transfer your personal data to bodies such as postal and delivery services, house bank,
tax consultancy/auditing firm or the tax authorities. Further recipients may result from the following notes.
1.5 Data transfer to third countries
Our data processing may involve the transfer of certain personal data to third countries, i.e., countries where the GDPR is not applicable law. Such transfer is permissible if the European Commission has determined that an adequate level of data protection is provided in such a third country. If such an adequacy decision by the European Commission is not available, transfer of personal data to a third country will only take place if appropriate safeguards are provided in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met. An adequacy decision applies to the following countries: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. For data transfers to the U.S., the adequacy decision applies to companies certified under the Privacy Framework and listed on this list (https://www.dataprivacyframework.gov/s/participant-search). Unless otherwise indicated below, we use the EU Standard Contractual Clauses as appropriate guarantees for the transfer of personal data to third countries. You have the option of obtaining or viewing copies of these EU Standard Contractual Clauses. Please contact the address provided under Contact.
If you consent to the transfer of personal data to third countries, the transfer will be based on the legal basis of Art. 49 para. 1 letter a GDPR.
1.6 Processing when exercising your rights
If you exercise your rights under Articles 15 to 22 GDPR, we will process the personal data provided for the purpose of implementing those rights by us and to be able to provide evidence thereof. We will only process data stored for the purpose of providing information and preparing it for this purpose, and for the purpose of data protection control and otherwise restrict processing in accordance with Art. 18 GDPR.
These processing operations are based on the legal basis of Art. 6 (1) lit. c GDPR in conjunction with. Art. 15 to 22 GDPR and Section 34 (2) BDSG.
1.7 Your rights
As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:
- In accordance with Art. 15 GDPR and Section 34 BDSG, you have the right to request the disclosure of information about whether and, if so, to what extent we are processing personal data relating to you or not. You can assert your right to information within the App under “Account”, “Manage account”, “Request data”.
- You have the right to demand that we correct your data in accordance with Art. 16 GDPR.
- You have the right to demand the deletion of your personal data in accordance with Art. 17 GDPR and Section 35 BDSG. You can exercise your right of deletion within the App under “Account”, “Manage account”, “Delete account”.
- You have the right to restrict the processing of your personal data in accordance with Article 18 GDPR.
- You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format and to transfer this data to another data controller.
- If you have given us separate consent to data processing, you can revoke this consent at any time in accordance with Art. 7 (3) GDPR. Such a revocation shall not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
- If you are of the opinion that a processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
1.8 Right of objection
In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Art. 6 (1) lit. e or lit. f GDPR on grounds arising from your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing pursuant to Art. 21 (2) and (3) GDPR.
1.9 Data Protection Officer
You can reach our data protection officer at the following contact details: E-mail: datenschutz@e-therapists.de
Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg https://www.datenschutzkanzlei.de
2. Data processing when using Mon Coach santé Angel
Personal data is any information relating to an identified or identifiable individual. This includes information with which you can be directly identified, such as your name or photo. In addition, there is information that can indirectly reveal information about you – such as information about your body, impairments or complaints – as well as information about leisure behaviour or even data that you provide during use to improve quality.
Personal data also includes information disclosed under a pseudonym, i.e. without mentioning your name. In data protection law, the IP address is also considered a personal data. An IP address is assigned to each
device connected to the Internet by the Internet provider so that it can send and receive data. Health data is personal information that directly or indirectly conveys information about a person’s health. This includes information on physical well-being/complaints, information on mental/psychological health. Health data belong to the so-called special types of personal data and are subject to a particularly high level of protection.
When you use Mon Coach santé Angel, we collect information that you provide yourself. In addition, certain information about your usage is automatically collected by us. In the following, we describe in detail what data we process about you and for what purposes.
2.1 Downloading the App
When downloading the App, certain required information is transmitted to the App Store selected by you (Google Play or Apple App Store), in particular, the user name, the e-mail address, the customer number of your account, the time of the download and the individual device number may be processed. The processing of this data is carried out exclusively by the provider of the respective App Store and is beyond our sphere of influence.
2.2 Registering and setting up a Mon Coach santé Angel App user account
In order to use the services of one of our Mon Coach santé Angel App offers, you must create a Mon Coach santé Angel App user account. For registration purposes, we usually collect the following: E-mail address,
IP address, password. The registration data that you enter to use the Mon Coach santé Angel App offers are stored on European servers of the service provider commissioned by eTherapists GmbH.
You can decide which way you want to register when you register your user account. We offer you the following options for registering your user account:
a. Setting up a user account with an e-mail address
The creation of the user account and the use of the services of the Mon Coach santé Angel offer are possible using an e-mail address.
b. Setting up a user account with a Google Account
If you use the option to register via Google, your e-mail address and first name will be transferred from your Google user account to us. This data will only be used by us for the purposes of login and registration. In return, Google can use the
Sign-in service to recognise when and how you logged into Mon Coach santé Angel. No information will be passed on about your use of the content or services provided.
c. Setting up a user account with “Sign in with Apple”
If you use the “Sign in with Apple” option, you can decide for yourself whether the e-mail address stored with your Apple ID or a private relay address (alias) is transmitted to us. The private relay address automatically forwards all e-mails from us to the e-mail address stored with your Apple ID. You can find more information about “Sign in with Apple” here: https://support.apple.com/de-de/HT210318. Your use of the content or services provided by Mon Coach santé Angel will not be shared with Apple by us.
The data processing is carried out for the performance of services and is based on the legal basis of Art. 6 (1) lit. b GDPR.
3. Data processing during use
a. Automatic processing of personal data when using the App
When you use our App, we collect the following data, which is technically necessary for us to offer you the functions of our App and to ensure stability and security.
- IP address
- Date and time of the request
- Time zone difference from Coordinated Universal Time (UTC)
- Content of the request (concrete page)
- Access Status/HTTP Status Code
- Data volume transferred in each case
- User agent of the App
- Operating system and its interface
- Language and version of the App.
The legal basis for the processing of this data is Art. 6 (1) lit. f GDPR, and it serves our legitimate interest in the security and stability of our App.
The infrastructure will be operated on servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg/ EU). When using AWS, a transfer of your personal data to the USA cannot be excluded. Please note the information in the section
“Data transfer to third countries”. To evaluate access and ensure data security, we also use the New Relic
service of New Relic, Inc. (USA), which processes the data as an order processor exclusively in accordance with instructions. In the course thereof, data transfer to the USA is not excluded. See the passage “Data transfer to third countries”.
b. User profile and content data
We process the data that you provide to us in your User Profile and that we collect and process when you use the App. Your details in the User Profile includes information such as weight, exercise data or dietary habits (only if you provide them voluntarily), usage behaviour and possibly also access rights to your smartphone (e.g. if you want to upload a profile photo). The data processing is carried out in order to provide you with our service and is based on the legal basis of Art. 6 (1) lit. b GDPR.
c. Health data
When using our offers, the processing of health data pursuant to Art. 9 (1) GDPR cannot be excluded. The processing takes place in order to adapt our services and our offers to your needs. The processing of health data takes place exclusively with your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with Art. 9 (2) lit. a GDPR. Consent is voluntary. If you don’t give it to us and don’t provide us with health information, we can’t tailor the recommendations to your individual needs. There shall be no other disadvantages. You can revoke your consent at any time by navigating to the Account section in the Menu of the App. Here, you will find in the Settings section where you can revoke or change your consent.
4. Use of activity information from linked accounts and third party providers
You can import activity information from other platforms into your Mon Coach santé Angel App. You must explicitly agree on the platforms that you want to link these platforms to your user account in order to import this data. You also have the option of determining yourself which data should be imported.
You can link the following providers / platforms to your Mon Coach santé Angel user account:
a. Apple Health App
With an iPhone, you can capture activity and health data or import it from different apps into the Apple Health App. You must explicitly agree to share this data with Mon Coach santé Angel or allow Mon Coach santé Angel to export data to Apple Health. You can revoke the authorisation at any time. The exchange only takes place with your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with Art. 9 (2) lit. a GDPR. and can be revoked at any time.
b. Google Fit App
With an Android smartphone, you can capture activity and health data or import it from different apps into the Google Fit App. You must explicitly agree to share this data with Mon Coach santé Angel or allow Mon Coach santé Angel to transfer data to
Google Fit. You can revoke the authorisation at any time. The exchange only takes place with your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with Art. 9 (2) lit. a GDPR. and can be revoked at any time. Mon Coach santé Angel’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. The App asks for the following permissions for the corresponding purpose:
- Permission: Information about the “Fitness Location”
Purpose: To record your data for step, run and bike challenges. Your location cannot (and will not) be requested by us.
- Permission: Information about the “Fitness Activity”
Purpose: This allows us to distinguish between the different activity types and retrieve the relevant ones (steps, running, cycling, “HeartPoints”) and use them for challenges and training minutes of the “weekly progress”.
- Permission: Information about the “Fitness Body”
Purpose: This allows us to obtain information about your height and weight in order to display steps, distances and your personal health statistics in your profile.
c. Thryve Health SDK
Thryve, a service of mHealth Pioneers GmbH (Germany/EU) allows you to connect and import activity data from numerous different sources. These include the manufacturers Garmin, Fitbit, Polar, Withings, Misfit and others, but also sensors from your mobile phone or smartwatch.
After your explicit consent to share your data that will be processed by your manufacturer or retrieved by your mobile phone or smartwatch, we will only receive a key from mHealth Pioneers GmbH to uniquely assign this data to your profile. You can determine the scope of the data yourself, depending on the manufacturer. We do not receive any other profile information, such as the e-mail address you use for your user account with the manufacturer of your fitness tracker. The exchange only takes place with your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with Art. 9 (2) lit. a GDPR. and can be revoked at any time.
5. Cookies
We use cookies and similar technologies (“cookies”) in our app. Cookies are small data sets that are stored on your device when you use our app.
The use of cookies is in part technically necessary for the operation of our app and therefore permitted without your consent. In addition, we would like to use cookies to
offer special functions and to analyze our app and its use. This includes may also include cookies from third-party providers (so-called third-party cookies).
Further information on this can be found in this privacy policy. We only use such technically unnecessary cookies only with your consent in accordance with Section 25 (1) TTDSG and, if applicable, Art. 6 (1) (a) GDPR.
You can find information on the purposes, providers, and storage duration of individual cookies in the following table:
5.1. Cookie: Crashlytics
Provider: Google Ireland Limited (Ireland/EU)
Purpose: Improve app quality – transfer application crash information
Retention: Until the app is re-installed / deleted
5.2. Cookie: Google Analytics for Firebase
Provider: Google Ireland Limited (Ireland/EU)
Purpose: Personalization – Click tracking to adapt features and content
Retention: Until the app is re-installed / deleted
You can change the selection of cookies at any time and revoke your consent. The revocation option can be found in the app under Menu >> Account >> Settings >> Personalization.
6. Advice from health experts and support
The Mon Coach santé Angel offer gives you the opportunity to contact one of our health experts or support staff by e-mail. The use of counselling by health professionals is voluntary. If you take up the offer of individual counselling by health experts, the health experts can view the health data stored by you in the Mon Coach santé Angel offer. When making use of our
customer support, our support staff can access data from your user account in order to assist you. The data processing is essentially carried out for the performance of the service and is based on the legal basis of Art. 6 (1) lit. b GDPR. For communication with our experts, we use the Freshdesk tool from Freshworks Inc (USA). In the course thereof, a
data transfer to the USA cannot be excluded. See the passage “Data transfer to third countries”.
7. Video coaching
You have the option of booking a video conference with a professional coach. This requires access to the camera and microphone. The data processing only takes place when you use this function, is then generally necessary for the performance of the service and is based on the legal basis of Art. 6 (1) lit. b GDPR. The technical infrastructure is provided by Twilio Ireland Limited (Ireland). In the course thereof, data transfer to the USA is not excluded. Twilio has binding internal data protection rules (Binding Corporate Rules) that have been approved by the supervisory authority and ensure an adequate level of data protection.
8. Communication via e-mail, telephone, etc.
When contacting us (e.g. by e-mail or telephone), the information provided by the enquirer, e.g.
first name, last name, address, telephone number, e-mail address and the content of your message or communication, is processed for the purpose of handling the contact request and its processing pursuant to Art. 6 lit. 1 lit. b GDPR. This is done, in order to be able to communicate with you if you have contacted us, e.g. by answering your questions, processing orders or providing you with requested information. For our internal communication, we use Google Workspace of Google Ireland Limited (Ireland/EU). In the course thereof, data transfer to the USA is not excluded. See the passage “Data transfer to third countries”. We use the Sendgrid service of Twilio Inc. (USA) to send transactional and notification e-mails. In the course thereof, data transfer to the USA is not excluded. Twilio has binding internal data protection rules (Binding Corporate Rules) that have been approved by the supervisory authority and ensure an adequate level of data protection.
9. Product updates
We will send you regular e-mails about the features and innovations of our product. In the course of this, personal data such as name and e-mail address are processed. We base the sending of e-mails on our legitimate interest in providing information about existing and new service offers. The legal basis is Art. 6 (1) letter f GDPR. You can opt out of receiving them by unsubscribing via the unsubscribe link in the e-mail. The e-mails are sent via the Sendgrid service of Twilio Inc (USA). In the course thereof, data transfer to the USA is not excluded. Twilio has binding internal data protection rules (Binding Corporate Rules) that have been approved by the supervisory authority and ensure an adequate level of data protection.
We also analyse the reading behaviour and open rates of our updates. For this purpose, pseudonymised usage data is collected and processed by us, which we do not link with your
e-mail address or IP address. Legal basis for the analysis of our updates is
Art. 6 (1) lit. f GDPR, and the processing serves our legitimate interest in optimising our update. You can object to this at any time by contacting one of the above mentioned contact channels.
10. Services subject to payment
Your payment information will only be processed if you make use of services that require payment. This is done, for example, when paying out premiums. When paying out rewards, only your IBAN is processed in addition to your name and then deleted again. The data processing is carried out for the performance of services and is based on the legal basis of Art. 6 (1) lit. b GDPR.
11. Personalisation (Google Analytics for Firebase)
We use the Google Analytics for Firebase service of the provider Google Ireland Limited (Ireland/EU) in our App. The Google Analytics for Firebase service is a feature of the Google Firebase development platform. Google Analytics is an analytics service that allows us to collect and analyse data about the behaviour of users of our App, in order to compile reports about the activities within our App. This involves processing personal data in the form of online identifiers, IP addresses, device identifiers and information about interaction with our App. Further information on data collection in Google Analytics can be found at https://support.google.com/firebase/answer/6318039. The data is transmitted to Google Ireland and processed on our behalf.
Some of this data is information that is stored in the terminal device you are using. In addition, Google Analytics may also store further information on the terminal device you are using. Such a storage of information by Google Analytics or access to information already stored in your terminal device will only take place with your consent. The legal basis for data processing in connection with the Google Analytics service is, therefore, Art. 6 (1) a GDPR. The legal basis for accessing your terminal device is Section 25 (1) TTDSG. You can revoke your consent at any time with effect for the future. You can find the revocation option in the App under Menu >> Account Settings >> Personalisation.
Google Analytics stores certain data associated with an advertising identifier for 60 days, and retains aggregate reporting without automatic expiration. Retention of user-level data – including conversions – is set at up to 14 months. For all other event data, retention is set at 2 months. Data transfer to the USA is not excluded. See the passage “Data transfer to third countries”.
12. Quality improvement (Google Crashlytics)
We use the Firebase Crashlytics service of the provider Google Ireland Limited (Ireland/EU) in our App. The Firebase Crashlytics service is a feature of the development platform Google
Firebase. Firebase Crashlytics is a crash reporting service that helps us improve the stability and reliability of our App. For this purpose, various data are summarised in crash reports and sent to us. The data is transmitted to Google Ireland for this purpose and processed on our behalf.
Some of this data is information that is stored in the terminal device you are using. Such access to information that is already stored in your terminal device only takes place with your consent. The legal basis for accessing the terminal device is Section 25 (1) TTDSG. If personal data is processed, the legal basis in this case is Art. 6 (1) a GDPR.
Crash reports will only be sent with your explicit consent. When using iOS Apps, you can give consent in the App’s settings or after a crash. For Android Apps, when setting up the mobile device, there is the option to generally agree to the transmission of crash notifications to Google and App developers.
You can revoke your consent at any time with effect for the future. You can find the revocation option in the App under Menu >> Account >> Settings >> Quality Improvement.
This data is stored for a maximum of 90 days. Data transfer to the USA is not excluded. See the passage “Data transfer to third countries”.
13. Disclosure to companies, insurers and health insurance funds
We work with companies and insurers, as well as health insurance companies (providers) who want to make the Mon Coach santé Angel App available to their insurees and employees to improve their health. Insurees and employees are free to register with us. It is not necessary to use your professional e-mail address when registering in the App.
Personal data is not passed on to companies, insurers and health insurance companies. The data will only be evaluated anonymously and, if necessary, used to create a completely anonymous health report for your provider, insofar as this enables you to use our service and you make use of this option. Anonymisation in this case is secured by the fact that we only generate reports if more than 15 people within a company or department use our App. Conclusions about your personal state of health are not possible based on the use of our App and our services.
Version as of: [1.2, 12.12.2023]