Privacy policy for our apps (EU and other countries outside USA)

This Privacy Policy explains nature, scope, and purpose of the processing of personal data (hereinafter: "Data") in connection with the operation of our apps.

Scope / Purpose of the digital health apps

This privacy policy applies to the following apps:

• "Kaia Back Pain"

  Kaia Back Pain is intended for multidisciplinary rehabilitation of non-specific back pain (M54.-) that has persisted for longer than 4 weeks and for multidisciplinary rehabilitation following previous episodes of non-specific back pain. Patients can use the app with or without current or past supervision from medical professionals but need to have undergone prior medical examination to exclude causes for back pain that would require specific treatment. The app is designed to be used directly by laypersons in a home setting without prior training.

• "Kaia COPD"

  Kaia COPD is a medical product for use by people with COPD based on the concept of pulmonary rehabilitation. Kaia delivers new course units daily to promote physical activity and to help proactively manage COPD. Kaia COPD supports people above the age of 18 years with a diagnosis of COPD (J44.-) as long as contraindications and other causes for symptoms which require specific therapy are excluded. Kaia COPD cannot diagnose conditions or injuries and cannot be used in lieu of a medical consultation.

For more information on our apps, please refer to the instructions for use of "Kaia Back Pain" and "Kaia COPD".

1. Responsible person / Contact / Management

   • kaia health software GmbH, Siegfriedstrasse 8, 80803 Munich
   • E-mail: info@kaiahealth.com
   • Phone: 089 20207057
   • Managing director: Manuel Thurner

2. Data Protection Officer:

   PROLIANCE GmbH / www.datenschutzexperte.de
   Data Protection Officer
   Leopoldstr. 21
   80802 Munich
   E-mail: datenschutzbeauftragter@datenschutzexperte.de

3. Terms used

   All data protection terms have the same meaning as defined in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

4. Purposes of processing and legal basis

   We use your personal data exclusively for the following purposes:

   1. Intended use of our application (legal basis: consent, Art. 6 (1) lit. a) and Art. 9 (2) a) of the GDPR). Please also see point ‎5 below.
   2. Proof of positive health care effects within the framework of a trial in accordance with § 139e (4) of Book 5 of the German Social Security Code ("SGB V"). This means that we have to provide the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte) with evidence of positive effects on health care by means of a comparative study and for this purpose we have to examine and evaluate the results of the therapies and record them in a results study (legal basis: consent, Art. 6 (1) lit. a) and Art. 9 (2) a) of the GDPR).
   3. Please note that a separation of the processing purposes listed under ‎4.1 and 4.2 is not possible, since the corresponding testing and verification is necessarily related to the offer of the application.
   4. Permanent guarantee of the technical functionality, user-friendliness and further development of the application (legal basis: consent, Art. 6 (1) a) and Art. 9 (2) a) of the GDPR. With regard to the Motion Coach feature (see point ‎9), we will, for the course of transparency, refer to the collected consent and give you the possibility to refrain from the recording and uploading of a video, as there may be higher inhibition thresholds from your side.
   5. Further processing purposes, as required by law, such as invoicing a health insurance company or the fulfilment of obligations under medical product law, etc, but also, for example, the defence of legal claims (legal bases: legal obligation, Art. 6 (1) lit. c) of the GDPR in conjunction with the respective special legal provision, Art. 6 (1) lit. d) and e) of the GDPR and Art. 9 (2) lit. c), lit. f) to lit. j) of the GDPR, as far as applicable).

5. Consent wording

   Please find the wording of your consent at the end of this privacy notice.

6. Description of the necessary data processing within the scope of the intended use

   1. Processing of inventory data, payment data etc.
      We process your inventory data (name, contact data etc.) as well as data records from the interface of your mobile phone for the following purposes:
      • Establishment, execution and termination of purchase or service contracts;
      • Creation of an account in the App;
      • Provision of the App and the respective functions and contents;
      • Answering contact requests and communication with users;
      • Handling the payment of the product;
      • Answering support requests.
      • Security measures
   2. Processing of special categories of personal data (health data)
      We process your health data for the following purposes:
      • Analysis of the user's complaints and preparation of a therapy plan;
      • Adaptation of the therapy to the user;
      • Reminding the user to carry out the therapy if the user wishes to use this service within the application;
      • Storage and notification of the therapy progress;

7. Data processing for billing and verification purposes

   As part of the proof of positive effects of the application as well as other proof as described in ‎4.2 and ‎4.3 we will evaluate the development and progress of the respective therapies and aggregate the results anonymously. No personal or personally identifiable data will be transmitted to the respective recipients.

8. Data processing for further development and to ensure technical functionality and user-friendliness

   If you have given us your (optional) consent for this, we will process the personal data as follows:

   • Improvement of the application;
   • Analysis of the user’s behaviour in the app (e.g. Determining the acceptance range of certain new features etc.)
   • Internal, anonymized aggregated studies to optimize therapy approaches;
   • Security measures.

9. Revocation

   Any consent can easily be revoked at any time via the settings in your Kaia-app. Please note that if consent has been given cumulatively for the processing purposes in points ‎4.1 to ‎4.3, revocation will also affect all three processing purposes, including the intended use of the application. In the event of a revocation Kaia can then naturely no longer make the functions of the application available to you and your account will be deleted.

10. Details of the Motion Coach feature

    1. As part of this additional and voluntary feature, video recordings of the training sessions can be recorded, so that Kaia can optimize the app. Such recordings are only made on the basis of a prior collected explicit consent of the user (Art. 6 (1) lit. a) and Art. 9 (2) lit. a) of the GDPR) and are not required for the actual therapy and the exercises. Such recordings are used for the further optimization of the App. For transparency reasons, Kaia will refer the user to the provided consent prior to the recording and will ask every 24 hours for a confirmation. The user is shown a dialog for this purpose immediately before using the feature. The video recording is automatically terminated at the end of the training session. The recording can be stopped manually at any time by ending the training session. If a training session is restarted within 24 hours, the recording will start again without further notice. The user must ensure that no other persons are visible in the camera image or that these persons have also agreed to Kaia's processing.
    2. The video recordings shall be processed to improve the functioning of the App. In particular, the following processing operations shall take place:
       1. Review of the recordings and evaluation with regard to exercise activity, movement characteristics, body pose, other body conditions, and environmental factors which influence the automatic recognition of the body. Review and evaluation is carried out by individual employees and our official data sub-processors in accordance with Art. 28 GDPR. The purpose of the review is the general quality control and not an individual feedback to the user.
       2. Training of machine learning models for the automatic recognition of exercise activity, movement characteristics, body pose, environmental factors, as well as other medical endpoints resulting from the use of the app.
       3. The video recordings will be stored for a period of 10 years (unless you withdraw your consent), an only passed on to third parties with whom we have concluded a data processing agreement pursuant to Art. 28 of the GDPR and which support is necessary for the fulfillment of the purposes described above. We will try to make the personal data anonymous as soon as possible. The data will be transmitted encrypted at all times.

11. Privacy by default

    In accordance with the data protection law principle of "Privacy by Default", our application allows for the individual adaptation of certain features in certain cases. All features offered within this application are basically part of the intended use and are required for an optimal use of the application as a whole. However, Kaia understands that different people may have different preferences regarding communication, sustainability of control, etc., so some features are optional and can be turned on and off using the "Settings" function in the application.

    These include using App Push notifications to send you notifications. The first time you use the app, you will be asked if you want to enable these features in your settings menu. You can also enable or disable these features later. The same applies, for example, to e-mails that Kaia can use to remind you to perform the exercises.

12. Recipient of personal data

    1. We may transfer your personal data collected via this app to the following processors in accordance with Art. 28 of the GDPR, who will assist us in operating the application and providing the service:

       Name	Location	Function	Personal data processed
       Telekom Deutschland GmbH	Landgrabenweg 151, 53227 Bonn, Germany	Cloud Platform as a Service (PaaS) – Provisioning of server and database resources to provide our apps.	Inventory data, contact data, health data, billing data, data to improve the product, motion coach data
       Zammad GmbH	Marienstrasse 18, 10117 Berlin, Germany	Cataloging and responding to support requests	Requests sent to the support team. May contain message text, subject, email address and name
       mailbox.org / Heinlein Hosting GmbH	Schwedter Strasse 8/9A, 10119 Berlin, Germany	Email inbox for support requests	Requests sent to the support team. May contain message text, subject, email address and name
       NOVENTI HealthCare GmbH	Einsteinring 41-43, 85609 Aschheim bei München, Gemrany	Payment processing	Payment processing of DiGA codes over public insurances.

    2. We have entered into contracts with all our processors in accordance with Article 28 of the GDPR or the Standard Contractual Clauses pursuant to Chapter V of the GDPR, which in particular stipulate that the data processing shall be carried out exclusively in accordance with Kaia's instructions and that all employees who are in contact with personal data of Kaia have been bound to data protection secrecy.
    3. In addition, we may transfer your personal data to the following categories of recipients for the processing purposes described above: accountants, legal advisors, tax advisors, supervisory authorities, regulatory authorities, etc.

       Please note that Kaia also cooperates with other partners who are not order processors and who collect personal data directly from the customers without transmitting it via Kaia. This includes, for example, the payment service provider PayPal (Europe) S.a.r.l. et Cie, S.C.A. having its registered seat in the EU (“PayPal”) and the respective order processors of PayPal. If the customer wishes to process any payments via Paypal, the customer will be forwarded to Paypal or affiliated companies for payment purposes. Such third party providers are not "recipients" of Kaia within the meaning of Art. 13 (1) lit. e) of the GDPR. They collect the customer's data independently and based on the customer's decision to choose this payment process. Please note that your contractual relationship with PayPal is independent of your contractual relationship with Kaia.

13. International data transfer

    The processing of personal data by Kaia itself as well as the processing of personal data on behalf of Kaia will only take place within Germany, in a member state of the EU or the EEA, Switzerland or, if an adequacy decision has been made in accordance with Art. 45 of the GDPR, in a third country.

14. Storage and deletion concept

    1. As a matter of principle, your data will only be stored by us for as long as is necessary to achieve the purposes for which the data was collected or until you revoke your consent (see point 9). If there are additional legal retention periods (e.g. according to the German Commercial Code, the German Fiscal Code or for regulatory reasons), your data will be stored for the duration of this legally prescribed retention period.
    2. You can stop using Kaia in the app at any time and have all personal data deleted. To do so, select the menu item "Manage your data" in the app settings. There, you can also selectively delete all data that we have collected for product improvement or for the improvement of the Motion Coach, if you have previously given your consent for this in each case.
    3. We store health-related data physically and logically separate from data required for service billing. In the event of a deletion, your data processed by processors will also be deleted.

15. Your rights

    In view of the applicability of the relevant provisions of the GDPR, you have the right of access, restriction of processing, deletion, data portability, the right to object to the processing of personal data, the right of rectification, the right to complain to the competent data protection authority.

    To exercise your right of access and your right to data portability, open the "Manage your data" menu item in the app's settings. There you can export your data in both a human-readable and machine-readable format.

    To correct your data, you will find some options directly in the app's settings. If you want to correct data beyond that, you can always contact our customer support who will make the correction for you.

    To restrict processing or to object to the processing of personal data, you will also find options in the settings of the app under the menu item "Manage your data". If you would like to restrict processing beyond this, please contact our customer support.

16. Contact

    For all questions regarding the protection of your personal data, you can contact our data protection officer, who is also available for requests for information as well as suggestions and complaints.

17. Changes to the data protection declaration

    We reserve the right to update this privacy notice from time to time, in particular to incorporate your feedback and to reflect changes in legislation or established case law. We therefore recommend that you visit this website regularly to inform yourself about how your data is protected and processed.

Consent wording

• I consent to the processing of my personal and health data for purposes of my use of the Kaia app, as well as providing necessary proof of app use for my health insurance company and related billing providers, who partner with Kaia Health to provide me with the Kaia app.
• I consent to the processing of my personal and health data for the purpose of optimization and development of the Kaia app. Please note that Kaia Health relies on your consent to be able to make further improvements to the Kaia app.
• To help us improve this app and our body detection models, we would like to video record your exercise session. Do you voluntarily consent to us recording your personal health data?