Privacy policy for our apps (EU and other countries outside USA)

This Privacy Policy explains nature, scope, and purpose of the processing of personal data (hereinafter: "Data") in connection with the operation of our apps.

Scope / Purpose of the digital health apps

This privacy policy applies to the following apps:

For more information on our apps, please refer to the instructions for use of "Kaia Back Pain" and "Kaia COPD".

  1. Responsible person / Contact / Management

    kaia health software GmbH, Herzog-Wilhelm-Straße 26, 80331 Munich
    Phone: +49 89 904 226 740
    Managing director: Manuel Thurner

  2. Data Protection Officer:

    Data Protection Officer
    Leopoldstr. 21
    80802 Munich

  3. Terms used

    All data protection terms have the same meaning as defined in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

  4. Purposes of processing and legal basis

    We use your personal data exclusively for the following purposes:

    1. Intended use of our application (legal basis: consent, Art. 6 (1) lit. a) and Art. 9 (2) a) of the GDPR). Please also see point ‎6 below.

    2. Permanent guarantee of the technical functionality, user-friendliness and further development of the application (legal basis: consent, Art. 6 (1) a) and Art. 9 (2) a) of the GDPR. Please also see point 7 below.

    3. Further processing purposes, as required by law, such as invoicing a health insurance company or the fulfilment of obligations under medical product law, etc, but also, for example, the defence of legal claims (legal bases: legal obligation, Art. 6 (1) lit. c) of the GDPR in conjunction with the respective special legal provision, Art. 6 (1) lit. d) and e) of the GDPR and Art. 9 (2) lit. c), lit. f) to lit. j) of the GDPR, as far as applicable). Please also see point 8 below.

  5. Consent wording

    Please find the wording of your consent at the end of this privacy notice.

  6. Description of the necessary data processing within the scope of the intended use

    1. Processing of inventory data, payment data etc.

      We process your inventory data (name, contact data etc.) as well as data records from the interface of your mobile phone for the following purposes:

      • Establishment, execution and termination of purchase or service contracts;

      • Creation of an account in the App;

      • Provision of the App and the respective functions and contents;

      • Answering contact requests and communication with users;

      • Handling the payment of the product;

      • Answering support requests;

      • Security measures.

    2. Processing of special categories of personal data (health data)

      We process your health data for the following purposes:

      • Analysis of the user's complaints and preparation of a therapy plan;

      • Adaptation of the therapy to the user;

      • Reminding the user to carry out the therapy if the user wishes to use this service within the application;

      • Storage and notification of the therapy progress.

  7. Description of data processing for further development and to ensure technical functionality and user-friendliness

    If you have given us your (optional) consent for this, we will process the personal data as follows:

    As part of data processing to further develop and ensure technical functionality and user-friendliness, as described in this point 7, we may evaluate your user behavior in connection with app usage. Where possible, the evaluation is always based on aggregated data, so that no information that directly identifies you is processed.

  8. Description of data processing for billing and fulfillment of legally required obligations

    1. We process your billing data, consisting of your entered activation code provided by your payment processor or health insurance company, to bill our services in connection with the use of the App and forward it to the relevant health insurance company for billing purposes if the service is reimbursed by your health insurance company.

    2. In connection with the fulfillment of our statutory obligations to which we are subject, we process your data provided in the context of the intended use of the App, including user, application, technical and billing data, such as in particular for the fulfillment of obligations under medical device law, e.g. for the performance of conformity assessment procedures and post-market surveillance of the App.

    3. For billing purposes or to fulfill our legally required obligations, we may also share your data with the relevant payment processors or regulators, where we generally share your data only in pseudonymous form, so that no information that directly identifies you is shared.

  9. Revocation

    Any consent can easily be revoked at any time via the settings in your Kaia-app. Please note that in the event that your consent for the intended use of the app is revoked, Kaia will naturally no longer be able to provide you with the features of the app and your account will be deleted.

  10. Privacy by default

    In accordance with the data protection law principle of "Privacy by Default", our application allows for the individual adaptation of certain features in certain cases. All features offered within this application are basically part of the intended use and are required for an optimal use of the application as a whole. However, Kaia understands that different people may have different preferences regarding communication, sustainability of control, etc., so some features are optional and can be turned on and off using the "Settings" function in the application.

    These include using App Push notifications to send you notifications. The first time you use the app, you will be asked if you want to enable these features in your settings menu. You can also enable or disable these features later. The same applies, for example, to e-mails that Kaia can use to remind you to perform the exercises.

  11. Recipient of personal data

    1. We may transfer your personal data collected via our app to the following processors in accordance with Art. 28 of the GDPR, who will assist us in operating the application and providing the service:

      Name Location Function Personal data processed
      Telekom Deutschland GmbH Landgrabenweg 151, 53227 Bonn, Germany Cloud Platform as a Service (PaaS) – Provisioning of server and database resources to provide our apps. Inventory data, contact data, health data, billing data, data to improve the product
      Zammad GmbH Marienstrasse 18, 10117 Berlin, Germany Cataloging and responding to support requests Requests sent to the support team. May contain message text, subject, email address and name / Heinlein Hosting GmbH Schwedter Strasse 8/9A, 10119 Berlin, Germany Email inbox for support requests Requests sent to the support team. May contain message text, subject, email address and name
      NOVENTI HealthCare GmbH Einsteinring 41-43, 85609 Aschheim bei München, Gemrany Payment processing Payment processing of DiGA codes over public insurances.
      IMEDIAPP SA ( 43 rue Beaubourg, 75003 Paris, France Push notifications Push identifier
      Actito S.A. 1 Avenue Athéna 1348 Louvain-la-Neuv, Belgium Push and email notifications E-mail addresses
    2. We have entered into contracts with all our processors in accordance with Article 28 of the GDPR or the Standard Contractual Clauses pursuant to Chapter V of the GDPR, which in particular stipulate that the data processing shall be carried out exclusively in accordance with Kaia's instructions and that all employees who are in contact with personal data of Kaia have been bound to data protection secrecy.

    3. In addition, we may transfer your personal data to the following categories of recipients for the processing purposes described above: accountants, legal advisors, tax advisors, supervisory authorities, regulatory authorities, etc.

    4. Please note that Kaia also cooperates with other partners who are not order processors and who collect personal data directly from the customers without transmitting it via Kaia. This includes, for example, the payment service provider PayPal (Europe) S.a.r.l. et Cie, S.C.A. having its registered seat in the EU (“PayPal”) and the respective order processors of PayPal. If the customer wishes to process any payments via PayPal, the customer will be forwarded to PayPal or affiliated companies for payment purposes. Such third party providers are not "recipients" of Kaia within the meaning of Art. 13 (1) lit. e) of the GDPR. They collect the customer's data independently and based on the customer's decision to choose this payment process. Please note that your contractual relationship with PayPal is independent of your contractual relationship with Kaia.

  12. International data transfer

    The processing of personal data by Kaia itself as well as the processing of personal data on behalf of Kaia will only take place within Germany, in a member state of the EU or the EEA, Switzerland or, if an adequacy decision has been made in accordance with Art. 45 of the GDPR, in a third country.

  13. Storage and deletion concept

    1. As a matter of principle, your data will only be stored by us for as long as is necessary to achieve the purposes for which the data was collected or until you revoke your consent (see point 9). If there are additional legal retention periods (e.g. according to the German Commercial Code, the German Fiscal Code or for regulatory reasons), your data will be stored for the duration of this legally prescribed retention period.

    2. You can stop using Kaia in the app at any time and have all personal data deleted. To do so, select the menu item "Manage your data" in the app settings.

    3. We store health-related data physically and logically separate from data required for service billing. In the event of a deletion, your data processed by processors will also be deleted.

  14. Your rights

    1. In accordance with the GDPR, you are entitled to the following data protection rights in accordance with the legal requirements:

      • Right to access, rectification, erasure and restriction of processing: You have the right to request information about your data stored by us at any time (Art. 15 GDPR). When we process or use your data, we strive to take reasonable steps to ensure that your data is accurate and up to date for the purposes for which it was collected. In the event that your data is inaccurate or incomplete, you may request that it be rectified (Art. 16 GDPR). Furthermore, you may have the right to request the erasure (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) of your data if, for example, your data is no longer necessary for the purposes for which it was collected or otherwise processed and legal retention obligations do not require its continued storage.

      • Right to data portability: where applicable, you have the right to receive the data that you have provided concerning you, in a structured, common and machine-readable format or to transfer this data to another responsible person (Art. 20 GDPR).

      • Right to withdraw your consent: If you have consented to the collection, processing and use of your data, you may withdraw your consent at any time with effect for the future (see point 9), but without affecting the lawfulness of the processing carried out on the basis of the consent until withdrawal (Art. 7 (3) GDPR).

      • Right to object: You have the right to object at any time to the processing of your data based on Art. 6 (1) (e) or (f) GDPR for reasons arising from your particular situation. We will not process your data after an objection, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (Art. 21 (1) GDPR, so-called "limited right of objection"). In this case, you must provide reasons for the objection that arise from your particular situation. Furthermore, you have the right to object to the processing of your data for the purposes of direct marketing at any time, even without stating reasons (Art. 21 (2) GDPR).

      • Automated individual decision-making (including profiling): You have the right not to be subject to a decision based solely on automated processing (including profiling), which produces legal effects concerning you or similarly significantly affects you (Art. 22(1) GDPR). Please note that we do not use such automated decision-making or profiling within the meaning of Art. 22 GDPR in connection with our app.

    2. To exercise your right to access and your right to data portability, open the "Manage your data" menu item in the app's settings. There you can export your data in both a human-readable and machine-readable format.

    3. To correct your data, you will find some options directly in the app's settings. If you want to correct data beyond that, you can always contact our customer support who will make the correction for you.

    4. To restrict processing or to object to the processing of personal data, you will also find options in the settings of the app under the menu item "Manage your data". If you would like to restrict processing beyond this, please contact our customer support.

    5. You also have the right to complain to the competent supervisory authority at any time if you believe that the processing of your data is not lawful. The supervisory authority responsible for Kaia is the Bavarian Data Protection Authority; postal address: P.O. Box 606, 91511 Ansbach; telephone: +49 (0) 981 53 1300; e-mail:

  15. Contact

    For all questions regarding the protection of your personal data, you can contact our data protection officer, who is also available for requests for information as well as suggestions and complaints.

  16. Changes to the data protection declaration

    We reserve the right to update this privacy policy for our apps from time to time, in particular to incorporate your feedback and to reflect changes in legislation or established case law. We therefore recommend that you visit this website regularly to inform yourself about how your data is protected and processed.

As of: November 2022