Data privacy app

Status: October 2023

As Oviva AG and operator of the website www.oviva.com and the associated Oviva App, we take the protection of your data very seriously. In the following, we would like to inform you about the extent to which and the purpose for which we collect and process personal data from you when using the Oviva App (hereinafter “App”).

1. General; Definitions

We use the following terms, among others, in this Privacy Policy:

Personal data means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Health data are personal data relating to the physical or mental health of a natural person, including the provision of health care services, and revealing information about that person’s state of health.

Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third party means any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

Consent shall mean any freely given specific and informed indication of the wishes of the data subject, in the form of a declaration or other unambiguous affirmative act, by which the data subject signifies his agreement to the processing of personal data relating to him.

2. Responsibility and contact

The controller of the processing of personal data is the:

Oviva AG (hereinafter “Oviva”, “we”, “us”),

a company under Swiss law with its registered office at the

Zürcherstrasse 64

CH-8852 Altendorf

Handelsregisternummer CH-130.3.019.905-3

Phone: +41 41 511 52 41

kontakt@oviva.ch

If you wish to inspect and update your personal data or if you have any questions regarding data protection on our website, please contact us at any time via the email address kontakt@oviva.ch or by post at the address given above.

You can reach our data protection officer

by email: datenschutz@oviva.com or

by post: at the postal address of the data controller, with the addition of “for the attention of the data protection officer”.

3. Installation of the app

The app is available via distribution platforms operated by third parties, so-called app stores (Google Play and Apple iTunes). Your download may require prior registration with the respective app store and installation of the app store software. Oviva has no influence on the collection, processing and use of personal data in connection with your registration and the provision of downloads in the respective app store and the app store software. The responsible party in this respect is solely the operator of the respective app store. If necessary, please inform yourself directly with the respective app store provider.

4. Processing of your personal data

When you register via our website (www.oviva.com), we create a profile for you in the Oviva Coaching Suite. You can use the functionalities of the Oviva Coaching Suite via our app. We will send you the login data required to use the app by email / SMS.

The personal data that you provide to us when registering via the website will be processed by us in accordance with the website’s privacy policy.

The Oviva Coaching Suite is an electronic patient file and serves as an interface between you, your consultant or psychotherapist and us. In the Oviva Coaching App, all (sensitive) personal data collected during registration and nutritional counseling or psychological psychotherapy, as well as the services you have used are documented and managed. The app also offers you various functionalities for carrying out your nutritional counseling or psychotherapy (e.g. appointment scheduling, reminders via push notification, recording of activities, booking and participation in learning programmes) and can be used by you to communicate with the nutritional counselor or psychotherapist (e.g. chat function for queries, exchange of current health data, etc.). Within the scope of this use, we process further personal data.

The processing of this data is based on your consent pursuant to Art. 6 (1) a), Art. 9 (2) a) DSGVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland, which you give when registering for processing for the provision of the Services.

4.1 Processing your data with your participations

4.1.1 Required login data to use the app

After installation, the app requires the following setup data:

E-mail address and
Password.

Or alternatively:

Mobile phone number and date of birth and
1-time code.

Your e-mail address or your mobile phone number in conjunction with your date of birth is used for unique identification when you log in to the app. The password or 1-time code is a security key that we will send to you by email or SMS after you have registered for nutritional counselling via our website or via your doctor. After the initial registration with the password sent to you, you have the option to choose your own password.

We process your registration data in order to be able to offer you our service in full and to protect your personal data from third-party access. The legal basis is Art. 6 para. 1 b) GDPR (legitimate interests in the aforementioned processing purposes) and, insofar as special categories of personal data are processed, additionally your consent pursuant to Art. 6 (1) a), 9 (2) a) DSGVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland. You give your consent by agreeing to the processing of personal data for the provision of the services when registering.

4.1.2 Use push notifications

The app also uses push services from the operating system manufacturers. These are short messages that are shown on the user’s display with the user’s consent and with which the user is actively informed about consultation appointments or other reminders (“Don’t forget to drink”).

You will receive regular notifications from your advisor about upcoming appointments or reminders to improve your drinking behaviour via our push notifications according to your selection.

In order to sign up for the push messages, you must confirm the query of your end device to receive the push messages. This process is documented and stored by the operating system manufacturer. For this purpose, the login time and a device token (iOS) or device ID (Android) are stored. This data is used on the one hand to be able to send you the push messages and on the other hand as proof of your registration. These are only encrypted, anonymized device IDs. A conclusion on the individual user is excluded for Oviva.

The legal basis for these processing operations is your consent and thus Art. 6 (1) a) GDPRand as far as special categories of personal data are processed additionally Art. 9. Para. 2 a) DSGVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland. You can decide during the installation of the app whether you want to use this functionality. By giving your consent you consent. You can revoke your consent to the storage and use of your personal data to receive our push messages at any time with effect for the future. You can revoke your consent in the settings of your end device.

4.1.3 Apple Health Kit

In addition to the manual entry of personal health data in the App (see section 4.1.4) we use in case of consent, we also use the Health Kit framework of Apple Inc, 1 Infinite Loop, Cupertino, CA 95014, USA (hereinafter “Apple”). The Apple Health Kit provides a central location for health and fitness data on the iPhone and the Apple Watch and – with your explicit consent – allows apps to communicate with the Health Kit Store to access and share this data.

You declare the specific consent when you set in the app that a connection should be established with this service.

With such explicit consent (Art. 6 para. 1 a), Art. 9 para. 2 a) DSGVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland), we process (if applicable) your health data such as workout information (workout start and end [date], workout duration, type of workout, calories burned), distance (walking and running), and steps obtained through the Health Kit Framework to track and display your health and fitness activities. We receive this data in the case of consent from the from Apple Inc. We use this data in the case of consent for nutritional counseling or psychotherapy.

The submission of the declaration of consent is voluntary. You can revoke this at any time with effect for the future. The legality of the data processed on the basis of the consent until revocation.

You can revoke your consent by changing the settings of your mobile device or by turning off the transmission of data in the app under Settings > Connected App > Apple Health Kit

More information about the Health Kit can be found here: https://developer.apple.com/documentation/healthkit.

4.1.4 Data in logs

If you make use of our nutritional advice or psychotherapy, we collect, store and use sensitive data on your state of health and your lifestyle (e.g. height, weight, age, nutritional and eating habits, diagnoses, comorbidities, mental health), chronologically recorded measurement data on your sporting activities (number of steps, weight, energy burnt, training etc.) as well as information on the content and course of the therapy, as discussed between you and the advisor appointed by Oviva AG or exchanged electronically (in particular via the app),on the basis of your consent Art. 6 (1a), Art. 9 Abs. 2 a) GDPR or or Art. 30 in connection with. Art. 31 DSG/Switzerland) provided by you..in order to be able to offer you our therapeutic nutritional advice or psychotherapy in accordance with our General Terms and Conditions. You give your consent by agreeing, when registering, to the processing of personal data for the provision of the services.. For further information on how we process the health data you provide to us, please also see section 3.1 of the website privacy policy.

In the app, you have the option in particular to store personal health data in your diary under the menu item “Home”. You can maintain the following data there:

Activities (such as walking, running, housework, cycling, steps, etc.),
Weight,
Blood glucose levels

It is your free decision whether you provide us with health data for the aforementioned purpose. You can revoke your consent for the future at any time by deleting your entries or by writing an informal message to the above-mentioned e-mail address without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

4.1.5 Google Fit

If you have an Android Phone, we use Google Fit from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”), which provides a central repository for health and fitness data on your Android Phone and, with the express consent of the user, lets apps communicate with Google Fit to access and share that data.

You declare the specific consent when you set in the app that a connection is to be established with this service.

With your express consent (Art. 6 para. 1 a), Art. 9 para. 2 a) DSGVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland), we process (if applicable) your health data such as workout information (start and end of workout [date], duration of workout, type of workout, calories burned), distance

(walking and running) and steps obtained through Google Fit to track and display your health and fitness activities. We receive this data from Google in case of your consent. We use this data in case of consent for nutritional counseling or psychotherapy.

The submission of the declaration of consent is voluntary. You can revoke this at any time with effect for the future. However, this does not affect the legality of the storage carried out on the basis of the consent until the revocation. You can revoke your consent by changing the settings of your mobile device or turning off the transmission of data in the app under Settings > Connected app > Connect Google Fit.

You can find more information about the use of Google Fit and data processing here:

4.1.6 Fitbit

In addition, you have the option to link your Fitbit account from Fitbit Inc, 199 Fremont Street, 14th Floor, San Francisco, CA 94105 (hereinafter “Fitbit”) to our App. You declare the specific consent when you set in the app that a connection is to be established with this service.

With your express consent (Art. 6 para. 1 a), Art. 9 para. 2 a) DSGVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland), we process (if applicable) your health data such as heart rate, workout information (start and end of workout, duration of workout, type of workout, calories burned), distance (walking and running) and steps obtained through your Fitbit account to track and display your health and fitness activities. We receive this data from Fitbit Inc. in case of your consent. We use this data for nutritional counseling or psychotherapy in case of consent.

You can find more information about the use of Fitbit and data processing here:

4.1.7 Upload photos in the Oviva App (for nutritional counseling patients only)

For the purpose of tracking your eating behaviour and sending your meals to your coach for analysis, during nutritional counseling, you can add photos to the gallery in the app. This requires that you grant the app access to your camera or gallery on your device. The processing will only take place if you have given your express consent for this in accordance with Art. 9 (2) a), Art. 6 (1) a) DSGVO or Art. 30 in conjunction with Art. Art. 31 DSG/Switzerland. You declare the specific consent when you record images to the app. In this case, your consent is the legal basis for the processing.

The declaration of consent is voluntary. You can revoke this at any time with effect for the future. However, the lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by this. You can declare your revocation, for example, by deactivating access to the camera or gallery in the settings of your cell phone. deactivate.

4.1.8 Communication in the app

(1) Chat function

We offer you a chat function within the app that allows you to communicate with your coach or your psychotherapist and exchange views on the course of your consultation. If you give your explicit consent, your coach or your psychotherapist can also open a group chat with another person.

The offer of consulting also via the chat function is part of our product offer. If you decide to use the chat function to communicate with your coach or psychotherapist, data processing is mandatory because we cannot otherwise offer you the chat function via our app. The legal basis is our legitimate interest in providing a digital communication option with your coach or your psychotherapist(s) with the involvement of a professional provider, Art. 6 (1) f) DSGVO and, in the case of processing of special categories of personal data, your consent (Art. 9 (2) a), Art. 6 (1) a) DSGVO) or Art. 30 in conjunction with Art. 31 DSG/Swiss Data Protection Act. Art. 31 DSG/Switzerland. You give your consent by agreeing to the processing of personal data for the provision of the services when registering.

The submission of the declaration of consent is voluntary. You can revoke this at any time with effect for the future. The legality of the processing carried out on the basis of the consent up to the revocation consent until the revocation is not affected by this.

You can object to the processing of your personal data at any time by deleting individual messages in the chat history again or by sending an email with your request to kontakt@oviva.ch. Please take into account that the use of the chat function is not possible without the transmission of data to Google. If you do not wish the data processing, please use other communication channels to get in touch with your coach or your psychotherapist .

You can obtain Google Workplace’s privacy policy at:

https://gsuite.google.com/terms/mcc_terms.html as well as

https://gsuite.google.com/terms/dpa_terms.html.

(2) Coaching or your psychotherapist via video communication

You also have the option to connect with your coach or your psychotherapist via video communication online. online via video communication. For this purpose we provide a video conferencing service of Whereby AS, Gate 1 no. 107, 6700 Måløy, Norway (“Whereby”).

Technical information (authentication token, IP address, time of creation) is transmitted to Whereby to establish the video communication between you and your coach or your psychotherapist. This information is only stored to the extent necessary to establish the connection and to enforce security measures. This data is processed separately, is not assigned to any natural person and is subsequently deleted on a regular basis.

We have concluded an order processing contract with Whereby. The offer with video communication is part of our product offer. Insofar as you decide to use video communication with your coach or psychotherapist, data processing is mandatory, as we cannot otherwise offer you video communication via our app. The legal basis for the processing of your personal data is Art. 6 (1) b) DSGVO (contract performance) and, if not covered by this, our legitimate interest in providing a digital communication option with your coach or your psychotherapist with the involvement of a professional provider, Art. 6 (1) f) DSGVO or Art. 30 in conjunction with Art. 31 DSGVO. Art. 31 DSG/Switzerland.

The legal basis for the processing of special categories of personal data is your consent (Art. 9 (2) a), Art. 6 (1) a) DSGVO) or Art. 30 i.V.m. Art. 31 DSG/Switzerland. You give your consent by agreeing to the processing of personal data for the provision of the services when registering.

The submission of the declaration of consent is voluntary. You can revoke this at any time with effect for the future. However, this does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Please take into account that the use of video communication is not possible without the transmission of data to Nexmo Inc. If you do not want the data processing, please use other communication channels to contact your coach or psychotherapist(s).

You can obtain the privacy policy of Whereby AS at:

https://whereby.com/information/tos/privacy-policy/

4.1.9 Return and other evaluation

We value your feedback on the functionalities of our app as well as on our service very much, which is why we give you the opportunity to do so via the app. In this way, we can constantly improve our offer and adapt it to the needs of our customers.

If you submit feedback to us directly through our app, rather than in the app or Google Play store, it will be stored by us and linked to your user profile. Optionally, you also have the option to provide your email address so that we can contact you about your feedback if this is necessary to clarify your concern. A link to your user profile is only made in order to prevent misuse of the feedback function. Your feedback is only visible to you and to us. Other app users cannot see your feedback / rating.

We process your data to improve our offer and document your feedback. The legal basis for the processing is our legitimate interest in examining your request and improving our offer (Art. 6 (1) f) GDPR) and as far as special categories of personal data are concerned, your consent according to Art. 6 para. 1 a), Art. 9 para. 2 a) DSGVO or Art. 30 in connection with. Art. 31 DSG/Switzerland.

In order to be able to accept and manage your feedback, we use Freshdesk in our app, a helpdesk system from Freshworks Inc, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA (hereinafter “Freshworks”). For this purpose, requests are stored on Freshworks’ servers in the EU or outside the EU. In order to ensure an adequate level of data protection, Freshworks has concluded EU standard contractual clauses (Art. 46 (2) c) GDPR and Art. 16 (2) c) GDPR/Switzerland), under which Freshworks undertakes to comply with European data protection law. These EU standard contractual clauses also include a contract for commissioned processing. For further details on this, please feel free to contact us.

Your feedback will be stored by us as long as your user profile exists. It will then be deleted. If you request us to delete it, we will also delete your feedback. As an alternative to deleting your feedback, we are entitled to anonymise your feedback so that it can no longer be traced back to you personally.

4.1.10 Processing of your data if you have not registered via the website and the initial registration is via the app

This section 4.1.10 only applies if you have not registered via the website and are registering for the first time via the app. When registering via the website for the first time, you will find the relevant processing in the data protection declaration for the website.

4.1.10.1 Registration via the app

4.1.10.1.1 We use the personal data you provide when you register, insofar as this is necessary for the initiation or implementation of the contractual relationship. During the initial registration, the following personal master data is usually collected and stored:

First and Last Name*,
Birth date*,
E-mail address*,
Mobile phone number*,

It is not possible to register without providing the data marked with a * in the registration mask. This data is used exclusively to initiate or implement the contractual relationship, in particular to contact you.

In addition, we use your personal master data to obtain a medical prescription from your treating doctor (see Section 4.1.10.2) and to contact you via SMS (see Section 4.1.10.3.4).

4.1.10.1.2 When registering for nutritional counseling or psychological psychotherapy, the e-mail address you send us in this way can also be used by us to send advertising e-mails. In such a case, we send direct advertising for our own similar goods or services with the e-mail. If you do not wish to receive advertising e-mails, you can unsubscribe from these advertising e-mails at any time. To do this, follow the unsubscribe link in the respective advertising e-mail.

4.1.10.2 Medical prescription for nutritional advice and psychological psychotherapy

Your statutory health insurance company will cover your nutritional counseling or psychological psychotherapy if you have a doctor’s prescription. In order to be able to examine such reimbursement, it may be necessary to collect and process the following sensitive personal data.

4.1.10.2.1 If you have not yet received a medical prescription for nutritional advice or psychological psychotherapy, we will be happy to contact the doctor treating you to obtain a prescription for you. For this purpose, in addition to the personal master data mentioned under 3.1.10.1.1, the following sensitive personal data are collected and processed:

Name and address of the doctor treating you*.

The transmission of the name and address of the attending physician to us and the subsequent transmission of your master data specified under 4.1.10.1.1 to the physician specified by you will only take place if you have given your consent for this.

In order to document your consent to the processing of your sensitive personal data, we store your IP address and the time of transmission when sending the data for transmission.

4.1.10.2.2 We also process the transmitted sensitive data to bill the services you have used.

You can also take advantage of our programs as a self-payer. In this case, it is not necessary to send a prescription from your doctor.

4.1.10.3 Oviva Coaching Suite and making appointments for nutritional advice and psychological psychotherapy

4.1.10.3.1 After registering via the app, we will check your registration and create a profile for you in the Oviva Coaching Suite. The Oviva Coaching Suite represents an electronic patient file and is used for documentation, administration and billing of the services you use. In addition, you can use the Oviva Coaching Suite to communicate with your assigned consultant and share information about your health and lifestyle.

4.1.10.3.2 You can access the functions of the Oviva Coaching Suite via our Oviva App. After you have registered, we will send you the registration data required for this, if necessary by SMS, to the mobile phone number you have provided or to your e-mail address.

4.1.10.3.3 In order to be able to arrange an appointment with you for nutritional advice or psychological psychotherapy, we will contact you by SMS, e-mail or telephone after you have registered. In order to book an appointment and then carry out the nutritional counseling or psychological psychotherapy, it is necessary for us to refer you to one of our advisors or one of our psychotherapists. Your counselor or psychotherapist will then be able to access and view the information you have stored in the Oviva Coaching Suite. Your counselor or psychotherapist is bound to confidentiality and will treat your personal data confidentially.

4.1.10.3.4 If you wish to be contacted by SMS (e.g. for an appointment confirmation and reminder as well as other reminders from your coach), we will use your personal master data according to Section 4.1.10.1.1 (first and last name, mobile phone number) as well as the treatment appointment for this purpose.

In order to document your consent to the processing of your sensitive personal data, we store your IP address and the time of transmission when sending the data for transmission.

To contact you via SMS, we use the Twilio service from Twilio Inc. and WebSMS from sms.at mobile internet services GmbH. For further information on how your data is processed by the service provider, see Section 5.1.3.2.1.

4.1.10.4 Nutritional advice

If you make use of our nutritional advice, we collect, store and use sensitive personal data about your state of health and your lifestyle (e.g. height, weight, age, nutritional and eating habits, diagnoses, comorbidities), chronologically recorded measurement data about your Sporting activities (number of steps, weight, energy burned, training, etc.) as well as information on the content and course of the therapy, as discussed between you and the nutritionist employed by Oviva AG or electronically (in particular via the App) are exchanged in order to be able to offer you our therapeutic nutritional advice in full in accordance with our General Terms and Conditions. It is your free decision whether you provide us with this data for the stated purpose. However, if you do not expressly declare your consent to the use of this data, a contractual relationship cannot come about.

This data is only collected and used in order to be able to offer you the contractual services of therapeutic nutritional advice. In the event of a medical referral, the health data contained in the referral will be sent to the health insurance company for billing purposes (see also Section 4.1.10.2.2). After completing the nutritional consultation, the referring doctor receives a final report summarizing the results of the consultation.

In addition to the other services mentioned in this data protection declaration, we use the services of Google Workplace, which are offered by Google Cloud EMEA Ltd., 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, to correspond with you. Your data will be processed on servers in the EU. An appropriate level of data protection in accordance with the requirements of the European Union is maintained at all times. If personal data is transferred to a third country outside of Switzerland and the European Economic Area for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses in accordance with Art. 44, Art. 46 Para. 2 c) GDPR or Art. 16 paragraph 2 lit. d DSG/Switzerland. For further details on this, please feel free to contact us.

We only process your sensitive personal data if you give your express consent by declaring this with a checkbox on the website or in the app.

4.1.10.5 Psychological psychotherapy

If you make use of our psychological psychotherapy, we collect, store and use sensitive personal data on your state of health (diagnosis and reason for referral, comorbidities, anamnesis, psychological status, therapy goals and procedures, results of diagnostic test procedures) as well as information on the content and Course of the therapy, as discussed between you and the psychotherapist employed by Oviva AG or exchanged electronically (in particular via the app) in order to be able to offer you our psychological psychotherapy in full in accordance with our General Terms and Conditions. It is your free decision whether you provide us with this data for the stated purpose. However, if you do not expressly declare your consent to the use of this data, a contractual relationship cannot come about.

This data is only collected and used in order to be able to offer you the contractual services of psychological psychotherapy. In the event of a medical referral, the health data contained in the referral will be sent to the health insurance company for billing purposes (see also Section 4.1.10.2.2).

We use the SaaS service PSYFILE Schweiz AG, Schanzeneggstrasse 1, 8002 Zurich to bill for psychological psychotherapy. By using this SaaS service, personal data required for billing, including health data, are passed on to the service provider.

We only process your sensitive personal data if you give your express consent by declaring this with a checkbox on the website or in the app.

4.1.10.6 Contacting for Studies

On the basis of the personal data you have provided, we will check whether you are a suitable participant (m/f/d) in one of our studies and, if necessary, will contact you to inform you of this possibility or to provide you with further information on this if you are interested, a (telephone) interview to discuss how to proceed and to check whether you are actually a suitable participant (m/f/d).

The processing of your personal data for these purposes is based on your consent in accordance with Article 6 Paragraph 1 a), Article 9 Paragraph 2 a) GDPR or Article 30 in conjunction with Article 31 DSG/Switzerland.

4.2 Data collection without your participation

4.2.1 Data processing necessary to run the app

In order for the app to function properly, this requires internet access and therefore accesses to the network connection.

When you install our app, information is automatically sent to the server of our app by the application (app) used on your end device. This information is temporarily stored in a so-called log file.

The following information is collected without your intervention and stored until it is deleted:

IP address of the requesting end device,
Date and time of access,
the version of the app used in each case,
Manufacturer, type and operating system of your device as well as the name of your access provider.

The aforementioned data is processed by us to ensure a smooth connection setup of the app, to ensure a comfortable use of our app, to evaluate the system security and stability as well as for other administrative purposes. Processing of personal data is carried out insofar as the processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures pursuant to Art. 6 (1) b) DSGVO and otherwise on the basis of our legitimate interests described above pursuant to Art. 6 (1) f) DSGVO or Art. 30 in connection with Art. 31 DSGVO. Art. 31 DSG/Switzerland. As far as special categories of personal data are concerned, your consent (Art. 9 (2) a), Art. 6 (1) a) DSGVO resp. Art. 30 i.V.m. Art. 31 DSG/Switzerland) is the legal basis for the processing. You give your consent by agreeing to the processing of personal data for the provision of the services.

4.2.2 Firebase

To improve the stability and reliability of our app, we process crash reports. For this purpose we use Firebasea Service from Google. For users with their usual place of residence in the European Economic Area or Switzerland, the responsible Google company is Google Ireland Limited, with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland, and for users with a

other habitual residence is Google LLC, with its registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The company responsible for the respective user is hereinafter referred to as “Google”. The latter company is also the parent company of Google Ireland Limited, which is also referred to below.

The processing is based on our legitimate interests in a secure and stable provision of our services pursuant to Art. 6 (1) f) DS-GVO or Art. 30 in conjunction with. Art. 31 DSG/Switzerland. As far as special categories of personal data are concerned, your consent (Art. 9 para. 2 a), Art. 6 para. 1 a) DSGVO resp. Art. 30 i.V.m. Art. 31 DSG/Switzerland) is the legal basis for the processing. This consent is declared by you agreeing to the processing for the provision of the services.

When the app crashes, information is transmitted to Google (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the cell phone, last log messages). We do not pass on email addresses, phone numbers or passwords. do not pass them on.

This data is usually transferred to a Google server in the EU and stored there. Google may transfer personal data to countries outside the EU and the EEA without an adequacy decision, in particular to Google’s parent company, for all of the services mentioned below. Google relies on the standard contractual clauses approved by the European Commission as a means of ensuring adequate protection.

The EU standard contractual clauses can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/uri=CELEX%3A32021D0915&locale-en=. For more details on this, please feel free to contact us.

On Android systems, you can deactivate the transmission of data to Google in this context. To do this, open the Settings app, select the item “Google” and there, in the three-point menu at the top right, the menu item “Usage & Diagnostics”. Here you can deactivate the sending of the corresponding data. You can find more information in the help for your Google account.

For more information on data privacy, please refer to the privacy notices of Firebase Crashlytics at https://firebase.google.com/support/privacy and https://docs.fabric.io/apple/fabric/data-privacy.html#datacollection-policies.

4.2.3 Mixpanel

Based on your consent, we use your data for the further development of our app. In doing so, we pseudonymize your data before it is processed by a service provider. The service provider cannot draw any conclusions about individual persons. We use the “Mixpanel” analysis service of Mixpanel Inc, San Francisco, 405 Howard Street, Floor 2, San Francisco, CA 94105 (hereinafter “Mixpanel”). Mixpanel logs page views and page activity. To make this possible, anonymized log data is transmitted to Mixpanel on their behalf. Since Mixpanel is an international organization, we have entered into contracts with Mixpanel based on the EU standard contractual clauses to ensure a level of data protection equivalent to that in the EU and Switzerland, with which Mixpanel undertakes to comply with European data protection law. For further details on this, please feel free to contact us. You can also find more information about the use of your data on the English privacy page of the Mixpanel service at https://mixpanel.com/legal/privacy-policy/. The legal basis for the processing of your data is Art. 6 para. 1 a), Art. 9 para. 2 a) DSGVO (your Consent) or Art. 30 in conjunction with. Art. 31 DSG/Switzerland.

4.2.4 Microsoft Azure

To support our nutritional counseling and psychotherapy, we also use the services of Microsoft Azure of Microsoft Ireland Operations Limited, including for the development of nutritional plans and the creation of other nutritional tips.

The corresponding processing of data is based on your consent, which you give when registering for processing for the provision of services, and is thus carried out in accordance with Art. 6 para. 1 a), Art. 9 para. 2 a) DSGVO or in accordance with Art. 30 i.V.m. Art. 31 DSG/Switzerland.

In this context, personal data is also transferred to Microsoft Ireland Operations Limited. We have therefore concluded an order processing contract with this company.

It is possible that Microsoft Ireland Operations Limited transfers personal data to Microsoft Corporation, in the USA, on the basis of EU standard contractual clauses (Art. 46 para. 2 c) DSGVO or Art. 16 para. 2 lit. c DSG/Switzerland). For further details on this, please feel free to feel free to contact us.

5. Passing on the data to other third parties

5.1 Disclosure of data to external third parties

We may need to share some data with external third parties in strict compliance with applicable data protection laws in addition to the tools and features used on our website.

For the content-related technical support and design of our app, it may be necessary for external service providers to gain access to personal data (e.g. IT service providers). In this case, the handling of your personal data takes place exclusively according to our explicit instructions and on the basis of an agreement on commissioned processing pursuant to Art. 28 GDPR or Art. 9 DSG/Switzerland.. With this agreement, the service provider guarantees us that the service provision is in accordance with applicable data protection law.

5.1.1 For sending 1-time codes when logging in to the app

If you register with your mobile phone number and your date of birth in our app (see section 4.1.2) and therefore require a 1-time code via SMS to register, we use the Twilio service tool of Twilio Inc., 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”) to transmit the code.

The legal basis for the processing is Art. 6 (1) b) DSGVO (legitimate interests in the aforementioned processing purposes) and, insofar as special categories of personal data are processed, additionally Art. 6 (1) a), 9 (2) a) DSGVO or Art. 30 in conjunction with Art. Art. 31 DSG/Switzerland.

Twilio may also process your personal data on servers in the USA. For this reason, to ensure a level of data protection that corresponds to the EU, we have concluded EU standard contractual clauses with Twilio (Art. 46 para. 2 c) DSGVOArt. 16 para. 2 lit. c DSG/Switzerland), under which Twilio undertakes to comply with European data protection law. For further details on this, please feel free to contact us.

For more information about Twilio’s data processing, please see Twilio’s privacy policy at https://www.twilio.com/legal/privacy.

5.1.2 External hosting of patient data

For hosting the patient data, we use Google Cloud Platform, GCP. An offer from Google Cloud EMEA Ltd, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Your data is processed on servers in Germany. Google Cloud EMEA Ltd. is part of an international group of companies. Therefore, it cannot be ruled out that this personal data will be transferred to third countries. Insofar as personal data is transferred by Google Cloud EMEA Ltd. to a third country outside the European Economic Area, for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses according to Art. 44, Art. 46 para. 2 c) DSGVO or Art. 16 para. 2 lit. c DSG/Switzerland. The EU standard contractual clauses can be found at.

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en=.

For further details on this, please feel free to contact us.

For further information, please refer to Google’s privacy policy (https://www.google.com/policies/privacy) and the security notices for Google

Cloud services (https://cloud.google.com/privacy).

5.1.3 Service Providers, in cases where you have not registered via the Website and the initial registration is via the App

This section 5.1.3 only applies if you have not registered via the website and are registering for the first time via the app. When registering for the first time via the website, the relevant service providers can be found in the data protection declaration for the website.

5.1.3.1 To send emails

We use “Sendgrid” to send emails. Sendgrid is an offer from Twilio Inc. 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”).

For order processing, the following data, among others, is collected and transmitted to Sendgrid:

Your email address,
Your complete name,
Your Address.

Only transactionally necessary information that is necessary to understand and classify the e-mail is transmitted.

For statistical purposes, Twilio carries out anonymous (or only personalized after your express permission) link tracking via Sendgrid on our behalf. You can view Twilio’s current privacy policy at https://www.twilio.com/legal/privacy.

You can object to the use of Sendgrid as a processor. In this case, however, we can no longer send you e-mails for technical and organizational reasons.

5.1.3.2 To send SMS

5.1.3.2.1 Twilio

In order to be able to contact you via SMS (e.g. to send 1-time codes in the Oviva app, for appointment confirmations and appointment reminders via SMS), we use Twilio, a service tool from Twilio Inc., 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”). Twilio also processes your personal data on servers in the USA. For this reason, to ensure a level of data protection corresponding to that of the EU, we have concluded EU standard contractual clauses with Twilio, according to which Twilio undertakes to comply with European data protection. For further details on this, please feel free to contact us.

For order processing, we transmit your mobile phone number in encrypted form to Twilio, where it is stored.

For more information about Twilio’s data processing, see Twilio’s privacy policy at https://www.twilio.com/legal/privacy.

You can object to the use of Twilio as a processor. In this case, however, we can no longer send you SMS for technical and organizational reasons.

5.1.3.2.2 Web SMS

In addition, we use the WebSMS service tool from sms.at mobile internet services GmbH, Brauquartier 5/13, 8055 Graz, Austria (hereinafter “WebSMS”) for your coach to contact you.

For order processing, we transmit your mobile phone number to WebSMS in encrypted form. No further customer data is transmitted to WebSMS.

You can object to the use of WebSMS as a processor. In this case, however, we can no longer send you SMS for technical and organizational reasons.

5.1.3.2.3 Salesforce

Salesforce is also used to send SMS. See below in section 5.1.3.3.

5.1.3.3 Use of Salesforce Sales Cloud and Marketing Cloud

Data that you make available to us (e.g. personal data when registering for nutritional advice) is stored in the Salesforce Sales Cloud (salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich) on servers in Germany and France saved and used for customer management.

We use the Salesforce Marketing Cloud to send transactional and newsletter emails and push notifications. To do this, your data is transferred from the Sales Cloud to the Marketing Cloud. The Salesforce Marketing Cloud data is also stored on servers in Germany and France.

Salesforce is part of an international group of companies. It is therefore conceivable that personal data will also be transmitted to countries outside the EU or the EEA without an adequacy decision. This group of companies has committed itself to binding internal data protection regulations in accordance with Art. 46 Para. 2 b) and Art. 47 EU-DSGVO (so-called binding corporate rules) or Art. 16 Para Data processing outside the European Union, the European Economic Area and Switzerland to maintain an appropriate level of data protection. Please contact us if you would like a copy of the Binding Corporate Rules.

The data in the Salesforce Sales Cloud and in the Salesforce Marketing Cloud are used exclusively by us. To ensure a level of data protection corresponding to that of the EU, we have concluded an order processing contract with Salesforce.

5.1.4 Other Service Providers

For more information about what data is passed on to third parties when registering for nutritional advice and during nutritional advice, see Section 5 of the website’s privacy policy.

5.2 Disclosure due to legal obligation

We reserve the right to disclose your personal data if we are legally obliged to do so or if we are required to do so by authorities or law enforcement agencies.

6. Analysis of anonymised data for validation purposes

In order to meet our quality standards and to improve and further develop our services, we evaluate the services we provide to you as part of the consulting relationship. For this purpose, we remove any personal reference to you and also use this anonymised data after the end of the consulting relationship for the purpose of validation and quality management (improvement and further development of our services and offers).

The anonymization of the data is based on your consent in accordance with Art. 6 (1) a), Art. 9 (2) a) DSGVO or Art. 30 DSG/Switzerland in conjunction with Art. 31 DSG/Switzerland.

In addition, we analyse your anonymised data and compile statistics on various patient groups in order to better understand our patient structure and thereby also improve and further develop ourselves. Under certain circumstances, these statistics may also be used in cooperation with institutes for research purposes or may also be published. At no time can conclusions be drawn about individual persons from the statistics used in this way.

7. Data security measures and place of data processing

We protect your personal data according to the state of the art with appropriate technical and organisational measures. All employees and contracted specialists of Oviva AG (such as your consultant) who have access to your data are bound by the GDPR, the BDSG and the corresponding Swiss law and other legal regulations for the protection of your data, as well as demonstrably obliged to process personal data exclusively on the instructions of Oviva and in a manner that ensures an appropriate level of protection for the security of the data, in particular its integrity and confidentiality, and not to disclose it to third parties without authorization. Employees involved in processing operations will be made aware of and trained in data protection requirements. Third parties will not have access to your personal data without your express consent.

Your data will be stored in a data center in Germany. In addition, we require our external service provider to use your personal data exclusively in accordance with our specifications and in compliance with this privacy policy and the legal requirements for order processing.

8. Duration of the storage of your personal data

The personal data provided by you will only be stored by us for as long as is necessary for the fulfilment of the respective purpose for which you have provided us with your data, for compliance with statutory provisions or official requirements or the assertion of or defence against claims in connection with the contractual relationship. In the latter case, your data will be pseudonymised until it is actually used for the assertion or defence of claims and blocked for any other form of data processing.

9. Transfers to third countries

Insofar as it is stated in this Privacy Policy or elsewhere that we transfer data to countries outside the EU and the EEA, a corresponding transfer usually takes place on the basis of consent pursuant to Art. 49 para. 1 a DSGVO or Art. 17 DSG/Switzerland, on the basis of EU standard contractual clauses (Art. 46 para. 2 c) DSGVO or Art. 16 para. 2 lit. c DSG/Switzerland or on the basis of Binding Corporate Rules (Art. 46 para. 2 b), Art. 47 DSGVO) or Art. 16 para. 2 lit. e DSG/Switzerland. If you would like a copy of this, please feel free to contact us.

10. Data subject rights

Applicable data protection law grants you the right, under certain circumstances, to object to the processing of your data, in particular those for direct marketing purposes, profiling for direct marketing and other legitimate interests in processing. In order to make it easier for you to control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:

The right to request information from us as to whether and which of your data we are processing;
the right to have data corrected if it is inaccurate;
the right to request the erasure of data;
the right to request that we provide certain personal data in a commonly used electronic format or transmit it to another person in charge;
the right to withdraw consent where our processing is based on your consent;
the right, upon request, to obtain further information necessary for the exercise of these rights;
the right to express your point of view in the case of automated individual decisions and to request that the decision be reviewed by a natural person.

If you wish to exercise the above rights against us (or against any of our group companies), please contact us in writing, at our premises or, unless otherwise stated or agreed, by email; Our contact details can be found in Section 2. In order to prevent misuse, we must identify you (e.g. with a copy of your ID, unless this is otherwise possible).

If you have installed the app, the easiest way to request deletion of the data is via the app.

You also have these rights vis-à-vis other bodies that work with us on their own responsibility – please contact them directly if you wish to exercise rights in connection with their processing. Information on our important cooperation partners and service providers can be found in section 5.

Please note that these rights are subject to requirements, exceptions or limitations under applicable data protection law (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.

In particular, we may have to process and store your personal data in order to fulfill a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. As far as legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard interests worthy of protection, we can therefore also reject a data subject request in whole or in part (e.g. by blacking out certain content that relates to third parties or our business secrets).

If you do not agree with our handling of your rights or data protection, please let us or our data protection officer (section 2) know. In particular, if you are located in the EEA, UK or Switzerland, you also have the right to complain to your country’s data protection supervisory authority. A list of the authorities in the EEA can be found here: https://edpb.eur pa.eu/about edpb/board/members_de. The UK regulator can be reached here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/de/home/adresse.html.

11. Different language Versions

In the event of any conflict or difference in interpretation between the different language versions of this Privacy Policy, the German version shall prevail.

12. Updating and changes

Parts of this Privacy Policy may be changed or updated by us without prior notice to you. Please review the Privacy Policy before using our services to be aware of any changes or updates.