for the use of the MIZU app
Version: 1.0.3
Datum: 31.10.2024
Health is a sensitive topic. Carealytix Digital Health GmbH (hereinafter referred to as “Carealytix” or “we”) is committed to protecting your privacy when using the MIZU App and ensures that personal data is only processed in accordance with the applicable data protection regulations, in particular the EU General Data Protection Regulation. We take the protection of your personal data (hereinafter referred to as “data”) seriously and therefore comply with the applicable data protection laws.
With these data protection provisions, we comply with our information obligations under Art. 12 et seq. of the General Data Protection Regulation (hereinafter referred to as “GDPR”). We would like to give you an overview of what data we store from you and when, and how we use this data. Your data will only be collected by us to the extent technically necessary. Under no circumstances are we going to sell your data or pass it on to third parties for unjustified reasons.
Please read this Privacy Policy carefully and in conjunction with our General Terms of Use. The current version of the currently valid General Terms of Use can be downloaded and printed out at any time at https://www.mizu-app.com/en/terms.
“MIZU” is a digital app that is developed and operated by us - Carealytix Digital Health GmbH, Hohendilching 3, 83626 Valley, Germany.
The application offers the following range of functions:
Disclaimer: The use of the app does not replace a visit to the doctor and serves to support your self-perception and, under certain circumstances, the supplementary interpretation of your entries by your treating doctor.
For more information about the app, visit https://www.mizu-app.com/en/home and read the applicable Terms of Use available at https://www.mizu-app.com/en/terms.
“Responsible party” is, according to Art. 4 No.7 GDPR, the person who decides on the purposes and means of the processing of the personal data. Above all, he determines what is processed, how and for what purpose. He is responsible for the processing and must ensure that the data protection regulations are complied with.
“Processor” is, according to Art. 4 No.8 GDPR, the person who acts for the responsible party and processes personal data on the responsible party’s behalf.
“Personal data” are, according to Art. 4 No.1 GDPR, all information that can be attributed to a directly or indirectly identifiable natural person (“data subject”).
“Processing” means according to Art. 4 No.2 GDPR all possible types of data processing. This includes the collection, recording, organizing, arranging, storing, adapting, modifying, reading out, querying, using, disclosing, transmitting, disseminating, linking, restricting, deleting, or destroying of personal data.
“Data subject” means, pursuant to Art. 4 No.1 GDPR, the natural person to whom the data processed by the responsible party can be directly or indirectly attributed.
“Recipient” is, according to Art. 4 No.9 GDPR, the person to whom personal data is disclosed, regardless of whether it is a third party or not.
“Third party” is, according to Art.4 No.10 GDPR, anyone other than the data subject, the responsible party, the processor, and the persons authorized to process the personal data under the direct responsibility of the responsible party or the processor.
“Special categories of personal data” are, according to Art. 9 (1) GDPR also health data of the data subject. These data have a higher protection requirement.
“Health data” means, pursuant to Art. 4 No.15 GDPR, such personal data relating to the physical or mental health of the data subject from which information about the health status of the data subject is obtained.
“Consent” means, pursuant to Art. 4 No.11 GDPR, any freely given, informed and unambiguous indication of the data subject's wishes in the form of a statement or other unambiguous affirmative act (e.g., ticking a checkbox provided for this purpose) by which the data subject indicates that he or she consents to the processing of your personal data.
Responsible for data processing within the scope of the MIZU app within the meaning of Art. 4 No. 7 GDPR is, as provider and operator, Carealytix Digital Health GmbH, Hohendilching 3, 83626 Valley represented by the management (hereinafter referred to as “responsible party”). If you have any questions in connection with the processing of personal data, please contact the responsible person by email at info@mizu-app.com.
However, you also have the right to contact the external data protection officer of the responsible party with questions in connection with the processing of your personal data and regarding the exercise of your data subject rights under the GDPR. You can reach him under the following contact details:
QuR.digital GmbH
Große Elbstraße 135
22767 Hamburg
Contact person: Katharina Böck
Tel.: +49(40)32524552
E-Mail: info@qur.digital
Carealytix uses standard, well-known methods to transmit and store your data securely. To ensure the best possible protection for the data you transmit to us, we use a so-called Transport Layer Security encryption protocol, or TLS encryption for short, within the scope of our application. This encryption ensures that the data transmitted by you cannot be read, diverted, or changed by unauthorized third parties during your transmission to us.
We use legally required technical and organizational security measures to protect the data we have under our control against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
A major threat to your data comes from strangers who gain unauthorized access to your smartphone. Therefore, it is important to use the protection mechanisms provided by Android or Apple. These include an unlock password, Touch ID (fingerprint) or Face ID.
Your data will be stored and processed exclusively in security-certified data centers within the European Union. We reserve the right to use various service providers to store and process your data, but they will act exclusively on our behalf and in accordance with our instructions. We will oblige the service providers we use to take technical and organizational measures that are suitable according to the current state of technology to ensure data protection-compliant processing of your data. Under no circumstances will your data be passed on or sold to third parties by our service providers.
As a “data subject” within the meaning of Article 4 No. 1 of the GDPR, you are entitled to certain indispensable rights (data subject rights). The responsible party is obligated to guarantee these data subject rights and must contractually obligate the commissioned processors to provide the best possible support in implementing these data subject rights. In this respect, you are entitled to the following data subject rights:
You are entitled to claim your data protection rights at any time by notifying the data processor in writing or electronically using the contact details provided above. Alternatively, you can also contact the data protection officer of the responsible party. The contact details are also mentioned above in this privacy policy. In this context, both the responsible party and the data protection officer reserve the right to ensure your identity by means of a suitable procedure.
The responsible party will only pass on your data to third parties within the meaning of Art. 4 No.10 GDPR if
The responsible party may use service providers as processors that have their place of business in a third country or are part of an international organization that has its place of business in a third country. In the context of the GDPR, a third-party country is a country that is not a member of the European Union (EU) or the European Economic Area (EEA) and thus does not remain under the regulatory influence of the GDPR. These third-party countries have in common that they sometimes have their own data protection law, the content of which, however, may be below the level of protection of the GDPR. Against this background, Art. 44 GDPR provides that the transfer of data to third countries is only permitted under certain legal conditions.
As a rule, the permissibility of data transfer to third countries is based on an adequacy decision between the EU Commission and the third-party country in question in accordance with Art. 45 GDPR. The existence of an adequacy decision indicates that the data protection law applicable in the third-party country in question provides a level of protection for your personal data that is comparable to the GDPR. If no such adequacy decision exists, the data transfer is alternatively based on the conclusion of a contract between the responsible party and the corresponding service provider based on the standard contractual clauses issued by the EU Commission in accordance with Art. 46(2) (c) of the GDPR. These contractual clauses provide a sufficient guarantee on the part of the respective service provider also regarding the enforceability of the data subject rights provided for by the GDPR.
You will be expressly informed by us within the scope of this privacy policy if a service provider has such a third country reference. In this case, by giving your consent, you agree to your personal data being transferred to such a company.
If you want to use the MIZU app, you first need to download it from the app store of your device. The application is currently available as a download from the Apple App Store and the Google Play Store. When downloading the application, certain personal data is transmitted to the respective app store.
Processed data:
Processed are the username of the store account, your email address, the content of the request and the operating system of the terminal device used by you.
Purposes of processing:
The data is required by the operator of the respective app store to provide you with the application for download. In this context, the processing of this data is carried out exclusively by the operator of the respective App Store and is therefore beyond the control of the responsible party.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No.9 GDPR is the operator of the app store through which you download the application. In connection with the legal basis for the processing of your data as well as regarding the storage period, please consider the respective data protection provisions stored in the App Store.
Information on data protection in connection with the Google Play Store can be found at https://policies.google.com/privacy.
For privacy information related to the Apple App Store, please visit https://www.apple.com/de/legal/privacy/.
When using the MIZU app, your end device automatically transmits data to us, i.e., without any active transmission of data by you. This data is necessary so that we can enable you to use the MIZU app.
Processed data:
Processed are your IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (concrete page), access status/HTTP status code, amount of data transferred in each case, operating system and its interface, language, and version of the MIZU app.
Purpose of processing:
The data is required so that we can enable you to use the MIZU App. The data is also used to ensure the functionality and error-free operation of the MIZU App and to be able to offer a service that is in line with the market and interests.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (b) GDPR, as the processing is carried out to fulfill our user contract with you.
Recipients of the data:
The recipient of your personal data within the meaning of Art. 4 No.9 GDPR is the hosting provider of the MIZU app. In this context, OVH GmbH, Christophstraße 19, 50670 Cologne, Germany, acts as a processor for us within the meaning of Art. 4 No.8 GDPR and was accordingly obligated based on a contract for the processing of orders (AV contract) to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your personal data.
Storage period:
The data automatically collected and transmitted by your terminal device will remain stored at the longest until the purpose of the data processing no longer applies. The purpose ceases to apply at the latest when the user contract is terminated.
The registration of a user-specific account (user account) is first required to use the range of services associated with the MIZU app. For this, it is necessary that you go through the registration process within the app and provide certain personal data in this context.
Processed data:
The username (pseudonym) selected by you, your contact data (e.g., email address), the password assigned by you, information on your biological sex as well as your date of birth and, under certain circumstances, health-related data (e.g. CKD stage) are processed.
Purpose of processing:
The data is required so that you can create a user account within the scope of the MIZU app and use the services offered accordingly. Please note that without registration of a user account, the services and benefits offered within the MIZU app cannot be used or cannot be used completely.
Legal basis:
The data responsible party bases the lawfulness of this data processing on Art. 6 (1) letter a) or on Art. 9 (2) letter a) GDPR. You give your consent during the registration process by ticking the checkbox provided for this purpose.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the MIZU app, OVH GmbH, Christophstraße 19, 50670 Cologne, Germany. To enable push notifications for iOS and macOS devices, we also use the Apple Push Notification Service (APNs) from Apple Inc, Apple Park, One Apple Park Way, Cupertino, CA 95014, USA and Firebase Cloud Messaging (FCM) from Google Ireland Ltd, Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland.
In this context, all of the aforementioned service providers act for us as processors within the meaning of Art. 4 No. 8 GDPR and have been obliged to set up and maintain suitable technical and organizational measures (TOMs) to protect your data on the basis of a data processing agreement.
Please note in this context that Google Ireland Ltd. is a subsidiary of Google LLC and, like Apple Inc, has its registered office in the USA. Although data transfer to the USA is not planned in principle, it cannot be completely ruled out and the corresponding regulations on data transfer to third countries apply.
Storage period:
The data collected and transmitted as part of the registration process will be stored at the longest until the purpose of the data processing no longer applies or until your consent, once given, is revoked. The purpose ceases to apply at the latest when the user contract is terminated.
In principle, it is also possible to use the MIZU app without prior registration of a user-specific account (user account). Please note, however, that only a limited range of functions is then available to you within the scope of the MIZU app. Even then, your personal data will be processed to enable you to access the limited range of functions.
Processed data:
Processed are health-related data (e.g., CKD stage), app usage data, and in some circumstances your location.
Purpose of processing:
The data are required to enable you to access the limited range of functions within the MIZU app.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR. You give your express consent by agreeing to the processing of your personal data in accordance with this privacy policy by ticking a checkbox provided for this purpose.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the MIZU app, OVH GmbH, Christophstraße 19, 50670 Cologne, Germany. To enable push notifications for iOS and macOS devices, we also use the Apple Push Notification Service (APNs) from Apple Inc, Apple Park, One Apple Park Way, Cupertino, CA 95014, USA and Firebase Cloud Messaging (FCM) from Google Ireland Ltd, Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland.
In this context, all of the aforementioned service providers act for us as processors within the meaning of Art. 4 No. 8 GDPR and have been obliged to set up and maintain suitable technical and organizational measures (TOMs) to protect your data on the basis of a data processing agreement.
Please note in this context that Google Ireland Ltd. is a subsidiary of Google LLC and, like Apple Inc, has its registered office in the USA. Although data transfer to the USA is not planned in principle, it cannot be completely ruled out and the corresponding regulations on data transfer to third countries apply.
Storage period:
The data collected and transmitted within the scope of the use of the MIZU app without a user account will remain stored at the longest until the purpose of the data processing no longer applies or until your consent, once given, is revoked.
If you have created a user account and use the MIZU app with your user account, the full functionality of the app is available to you. This includes the provision of additional personalized content as well as additional functions such as medication plans, logs, and diaries. In this context, your personal data will be processed to enable you to access the range of functions.
Processed data:
Your self-entered health-related data (e.g., CKD stage, health status, lab values & weight values, blood pressure), master data (e.g., date of birth), address data, IP addresses, app usage data and possibly your location are processed.
Purpose of processing:
The data is required to enable you to access the functions offered within the MIZU app. Your location is required to be able to use certain functions within the scope of the app in the first place.
Legal basis:
The data responsible party bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR. You give your express consent by agreeing to the processing of your personal data in accordance with this privacy policy by ticking a checkbox provided for this purpose.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the MIZU app, OVH GmbH, Christophstraße 19, 50670 Cologne, Germany. To enable push notifications for iOS and macOS devices, we also use the Apple Push Notification Service (APNs) from Apple Inc, Apple Park, One Apple Park Way, Cupertino, CA 95014, USA and Firebase Cloud Messaging (FCM) from Google Ireland Ltd, Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland.
In this context, all of the aforementioned service providers act for us as processors within the meaning of Art. 4 No. 8 GDPR and have been obliged to set up and maintain suitable technical and organizational measures (TOMs) to protect your data on the basis of a data processing agreement.
Please note in this context that Google Ireland Ltd. is a subsidiary of Google LLC and, like Apple Inc, has its registered office in the USA. Although data transfer to the USA is not planned in principle, it cannot be completely ruled out and the corresponding regulations on data transfer to third countries apply.
Storage period:
The data collected and transmitted within the scope of using the MIZU app with a user account will remain stored at the longest until the purpose of the data processing ceases to apply or until your consent, once given, is revoked. The purpose ceases to apply at the latest when the user contract is terminated.
As part of the services offered within the MIZU app, you have the option of sharing your personal data that you have stored within the application with selected recipients (e.g. as part of a clinical study). These institutions or medical service providers may also share information with us. As soon as you connect with a corresponding institution or medical service provider, your personal data will be transmitted in both directions and shared accordingly.
Processed data:
Your self-entered health-related data (e.g. CKD stage, health status, laboratory values & weight values, blood pressure), master data (e.g. date of birth), address data, IP addresses and app usage data are processed.
Purposes of processing:
The data is processed to provide you with the opportunity to share your data with your selected recipients.
Legal basis:
The lawfulness of this data processing is based on Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR (e.g. for the transmission of health data). You give your consent by actively and independently linking your user account with a recipient in the MIZU app.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the institution or service provider with whom you have actively shared your personal data. It is also possible for these institutions or medical service providers to share information with us. You therefore choose the recipient of your personal data yourself. The controller has no influence on this decision. Your data may be shared via a tool provided by the recipient of the data. The controller has no influence on the processing of your personal data within the scope of the tool.
Storage period:
Your data will be transmitted to the recipients determined by you at the longest until you revoke your consent once given. You can revoke your consent to share your data from the MIZU app at any time with effect for the future in the app settings.
You may be eligible for our special Kidney+ care programme. This is a so-called hybrid care model in which, in addition to digital care via our MIZU app, you also receive personal care from our professionally qualified care team. Your personal data will be processed in this context.
Processed data:
Your self-entered health-related data (e.g. CKD stage, health status, laboratory values & weight values, blood pressure), master data (e.g. date of birth), address data, IP addresses, app usage data and, under certain circumstances, your location and chat data are processed.
Purposes of processing:
The aforementioned data is required so that our Care Team can obtain an overview of your current situation and usage data within the MIZU app and contact you (e.g. via in-app chat or video call), for example to recommend certain content in the app. It is also possible to activate an AI assistant as part of the chat system, provided you give your express consent.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6(1) (a) GDPR or on Art. 9 (2) (a) GDPR (e.g., for the transfer of health data). You give your consent by actively and independently linking your user account to a recipient within the MIZU app.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the Care Team deployed as part of Kidney+, with which you have actively and independently linked yourself. The transmitted data will be stored by the hosting provider of the Kidney+ Desk, Scaleway SAS, 8 rue de la Ville l'Évêque, 75008 Paris, France. To enable push notifications for iOS and macOS devices, we also use the Apple Push Notification Service (APNs) from Apple Inc, Apple Park, One Apple Park Way, Cupertino, CA 95014, USA and Firebase Cloud Messaging (FCM) from Google Ireland Ltd, Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland.
In this context, all of the aforementioned service providers act for us as processors within the meaning of Art. 4 No. 8 GDPR and have been obliged to set up and maintain suitable technical and organizational measures (TOMs) to protect your data on the basis of a data processing agreement.
Please note in this context that Google Ireland Ltd. is a subsidiary of Google LLC and, like Apple Inc, has its registered office in the USA. Although data transfer to the USA is not planned in principle, it cannot be completely ruled out and the corresponding regulations on data transfer to third countries apply.
If an appointment is made for a coaching session with the Care Team, the Microsoft365 service, provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, is also available.
During the coaching sessions with the Care Team, a transcript is created that summarizes the exchange. Based on your chat messages, a selection of pre-formulated responses can also be suggested to the Care Team, which can be sent directly to you. We use the GPTX.X technology from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA.
The hosting of Microsoft Corporation takes place within the scope of the GDPR, i.e. within the European Union.
This is also a processor within the meaning of Art. 4 No. 8 GDPR, which has been obliged to set up and maintain appropriate technical and organizational measures (TOMs) to protect your personal data on the basis of an order processing contract (DPA).
Storage period:
The data collected and transmitted as part of your participation in the Kidney+ care programme will remain stored until the purpose of the data processing no longer applies or until you withdraw your consent. The purpose ceases to apply at the latest when you remove the link to the care programme in the MIZU app.
To facilitate your access to the use of the MIZU app and to provide you with an overview of the entire range of services within the app, the responsible party will provide training courses as part of the onboarding process, which will be sent to you by email. These are emails that do not contain any promotional information and are therefore not newsletters.
Processed data:
Processed in this context is your email address.
Purposes of processing:
The processing of your email address is necessary for the responsible party to send you the emails with the training or onboarding content and thus make the use of the MIZU App more accessible to you.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (f) GDPR (legitimate interest). The legitimate interest follows from the desire of the responsible party to be able to provide you with a comfortable and secure user experience within the scope of the app. In this sense, the processing is also not opposed by any interests’ worthy of protection on your part, as the chosen form of processing represents a secure and targeted procedure to train you in the use of the MIZU app.
Recipients:
The recipient of your personal data in the sense of Art. 4 No. 9 GDPR is the Encharge service (Encharge Inc., Cherkovna 57, office 19, Sofia, Bulgaria, 1505). In this context, the provider of Encharge acts as a processor for the responsible party and have been accordingly obliged by the responsible party based on a processing contract to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your data.
Storage period:
The data processed in the context of receiving transactional emails will be stored at the longest until the purpose of the data processing no longer applies or until an effective objection to this processing is raised.
The responsible party anonymizes usage data and other data that accumulates during your use of the MIZU app to make these available for statistical evaluations and to make them available to third parties (e.g., companies from the healthcare industry) exclusively in anonymized form. Anonymized data can no longer be assigned to you, as they have lost any personal reference.
Processed data:
Processed is your (anonymized) usage data.
Purposes of processing:
The anonymized usage data and other data are processed in aggregated form to make them available to third parties (e.g., companies in the healthcare industry) under certain circumstances.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (a) or on Art. 9 (2) (a) GDPR. You give your consent during the registration process by ticking the checkbox provided for this purpose.
Recipients:
Recipients of your anonymized data are, for example, companies in the healthcare industry, research institutes or medical societies.
Storage period:
Since your data is used exclusively in anonymized form for the purposes, there is no time limit on the storage period. In principle, the data processing will be carried out until you revoke your consent once granted.
Within the MIZU app, you always have the possibility to contact the responsible person (e.g., by email to info@mizu-app.com) or to submit a support request. In this context, personal data will be processed.
Processed data:
Your master data (e.g., name, address), your contact data (e.g., telephone number, email address) and the specific content of the inquiry are processed. Please note that the responsible party has no influence if you transmit sensitive data (e.g., health data) to them as part of your request. You will not be asked by the responsible party to send such data.
Purposes of processing:
The processing of the data mentioned above is carried out for the purpose of being able to answer your inquiry quickly and to your satisfaction.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. You give your consent by actively sending the responsible party a corresponding request (e.g., by email).
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the service Zendesk (Zendesk Inc. 989 Market Street #300, San Francisco, CA 94102, United States). In this context, the provider of Zendesk acts as a processor for the responsible party and was accordingly obligated by the latter based on a processing agreement to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your data.
Please note in this context that Zendesk Inc. has its registered office in the United States. A data transfer to the United States is not intended in principle but can also not be conclusively excluded. In this respect, the explanations regarding data transfer to third countries apply.
Storage period:
The data processed in the context of receiving and responding to your request will be stored at the longest until the purpose of the data processing no longer applies.
Within the in-app messaging structure of the MIZU app, so-called transactional emails (e.g., for account activation or password resets) are used. These are emails that do not contain any promotional information and are therefore not newsletters.
Processed data:
Processed in this context is your email address.
Purposes of processing:
The processing is carried out for the purpose of enabling an automated system for account activation as well as for resetting your password, which you have assigned as part of the creation of your user account.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (f) GDPR (legitimate interest). The legitimate interest follows from the desire of the responsible party to provide you with a convenient and secure system in connection with the activation of your user account and the resetting of your password. In this sense, the processing is also not opposed by any interests’ worthy of protection on your part, since the selected form of processing represents a secure procedure, which also represents the current state of the art in terms of the principle of “Privacy by Design”.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the service Brevo, which is operated by Sendinblue GmbH (Köpenicker Straße 126, 10179 Berlin). In this context, the provider of Brevo (sendinblue) acts as a processor for the responsible party and was accordingly obligated by the latter based on a processing contract to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your data.
Storage period:
The data processed in the context of receiving transactional emails will remain stored at the longest until the purpose of the data processing no longer applies or until an effective objection to this processing is raised.
As part of the services of the responsible party, you have the option to register to receive the newsletter. For the creation, the dispatch, and the evaluation of our newsletter it is necessary that personal data of you are processed.
Processed data:
Your first name, last name, email address and anonymized usage data (e.g., open, and click-through rate) are processed.
Purposes of processing:
The processing of the data above is necessary for the responsible party to send you personalized newsletters and information and to measure an anonymized evaluation of the success of the newsletters in terms of click-through and opening rates.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) letter a) GDPR. Your consent to receive our newsletters and information can be made within the app. To register to receive the newsletter of the responsible party, it is necessary that you consent to the processing of your personal data by ticking a checkbox provided for this purpose.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the service Brevo (Seninblue GmbH, Köpenicker Straße 126, 10179 Berlin). In this context, the provider of Brevo acts as a processor for the responsible party and has been accordingly obligated by the responsible party based on a processing contract to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your data.
Storage period:
The data processed in this context by the responsible party will be stored at the longest until revocation of your consent once granted to receive the newsletter of the responsible party. You can revoke your consent at any time in the footer of the newsletter or by email to the contact details listed in sections 2 and 3 of this privacy policy.
As part of the service offering within the MIZU app, it may be necessary for the app to know your location (e.g., as part of the search for suitable service providers, CKD institutions). In this context, personal data (location data) is collected from the end device used by you and processed within the app.
Processed data:
Processed are your location data.
Purposes of processing:
The data above is required to enable you to use certain functionalities within the MIZU app (e.g., search for CKD institutions). The use of these functionalities is otherwise technically not possible.
Legal basis:
The data responsible party bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. You give your consent by actively agreeing to the location query within the MIZU app when using the corresponding functions (e.g., by also clicking “allow”).
Recipients:
The recipient of your personal data within the meaning of Art. 4 No.9 GDPR is the hosting provider of the MIZU app. In this context, OVH GmbH, Christophstraße 19, 50670 Cologne, Germany, acts as a processor for us within the meaning of Art. 4 No.8 GDPR and has accordingly been obligated to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your personal data based on a contract for the processing of orders (AV contract).
Storage period:
The data processed in this context by the responsible party will be stored at the longest until your consent, once given, is revoked. You can stop the MIZU app from accessing your current location at any time in the settings of the device you are using.
For the analysis of user behavior within the framework of the MIZU app, the responsible party uses the open-source service Open Search. Within the scope of the usage analysis, pseudonymized usage data is collected, stored, and evaluated.
Processed data:
Processed are pseudonymized statistics based on defined events (e.g., creation of a new log entry for a specific vital sign). In addition to information about the event that occurred, associated metadata such as device manufacturer, device name, operating system/version, device resolution, app version, language, font size, gender and, in some circumstances, pseudonymized health data (e.g., CKD stage) are transmitted.
Purposes of processing:
The data above are required to enable the responsible party to analyze user behavior within the scope of the MIZU app. From this, the responsible party can draw conclusions, which are then useful, for example, for expanding the functional scope of the app.
Legal basis:
The data responsible party bases the lawfulness of the data processing on Art. 6 (1) (a) or on Art. 9 (2) (a) GDPR. You give your consent during the registration process by ticking a checkbox provided for this purpose. The consent to the usage analysis is obtained separately from the consent to this privacy policy. You can also use the MIZU app if you do not consent to the usage analysis.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No.9 GDPR is the hosting provider of the MIZU app. In this context, OVH GmbH, Christophstraße 19, 50670 Cologne, Germany, acts as a processor for us within the meaning of Art. 4 No.8 GDPR and has accordingly been obligated to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your personal data based on a contract for the processing of orders (AV contract).
Storage period:
You can prevent the collection of data for pseudonymization by revoking your consent once given to the responsible party with effect for the future.
To be able to ensure the permanent technical availability of the MIZU app, the responsible party must continuously monitor the operation of the app to become aware of any errors at an early stage and to be able to take countermeasures in good time. In this context, your personal data will be processed.
Processed data:
Your IP address, details of the terminal device you are using, and error codes are processed.
Purposes of processing:
The data above is required so that errors that have occurred can be identified and corrected. This is to ensure the technical stability and thus the availability of the MIZU app.
Legal basis:
The responsible party bases the lawfulness of this data processing on Art. 6 (1) (f) GDPR (legitimate interest). The legitimate interest follows from the desire of the responsible party to provide you with a stable and secure user experience of the MIZU app. In this sense, the processing is also not opposed by any interests’ worthy of protection on your part, as the chosen form of processing represents a secure procedure that also reflects the current state of the art.
Recipients:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the service sentry.io (45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States). In this context, the provider of sentry acts as a processor for the responsible party and was accordingly obligated by the responsible party based on a processing agreement to establish and maintain appropriate technical and organizational measures (TOMs) that serve to protect your data.
In this context, please note that sentry.io has its registered office in the United States. A data transfer to the United States is not intended in principle but can also not be conclusively excluded. In this respect, the explanations on data transfer to third countries apply.
Storage period:
The data processed in the context of the use of sentry will remain stored at the longest until the purpose of the data processing no longer applies or until an effective objection to this processing is raised.
We may use links to social media platforms (e.g., Facebook) in our app. By clicking on the corresponding link within the MIZU app, you will be forwarded to a specific profile on the respective linked social media platform. The direct contact and the associated data exchange between you and the respective social media platform is only established when you actively click on the respective link. In this respect, we do not process your personal data in accordance with the GDPR. Further information in connection with the linked social media platforms can be found in the respective data protection provisions.
The MIZU app contains links to external websites and possibly offers. Please note that we are not responsible for their data protection or the content of these other offers. The integration of this content requires that the providers of these (hereinafter referred to as “third party providers”) perceive your IP address, as otherwise the content cannot be displayed within the framework of the browser used by you. However, the responsible party has no influence on whether third-party providers process your IP address for other purposes, such as statistical analysis. If the responsible party becomes aware of such a procedure, you will be informed within the scope of this privacy policy.
Please read the privacy statements of these other websites when you leave the MIZU app.
For the establishment and implementation of a business relationship or other relationship, we generally do not use fully automated decision-making pursuant to Article 22 GDPR. If we use these procedures in individual cases, we will provide separate information about this if this is required by law.
The responsible party reserves the right to update this data protection declaration with effect for the future to be able to react appropriately to changes in the law, changes in case law or changes in economic circumstances. Your rights as a data subject within the meaning of the GDPR will never be restricted by an amendment to this privacy policy.
