Data Privacy for the Health Coach App 360°

Data Protection Notice under GDPR

Data Protection Notice

The following information shall inform users of our mobile app about how we process personal data. These information serve us to comply with our duties imposed under the General Data Protection Regulation (GDPR). Personal data means any information relating to you by which you can be identified, directly or indirectly.



  1. Who is accountable for the use of my data?

 

LykonDX GmbH

Schönhauser Allee 149, 10435 Berlin

Germany

E-Mail: support@lykon.com

The above indicated company is accountable for the use of personal data on this mobile app. Every processing of personal data on this mobile app is conducted in compliance with the GDPR as well as possibly applicable other legislation.

You can contact the company by the means indicated above and by reference of your query. Where you want to contact the responsible data protection officer directly, add “Attention Data Protection Officer” to the address or contact the data protection officer via email: support@lykon.com.  

 

  1. What data are concerned?

 

If you use our mobile app by your mobile device certain information are collected simply for technical reasons of data flows (technical data). These technical data contain server log files, information about the type of your mobile device, operating system, your internet service provider and your IP address, date and time of the use of the app. Save the IP address these information do not allow an identification of you. Where the IP address is used, we comply with the provisions of the GDPR.

 

Some features of the app require the provision of personal data. In these situations the respective service requested by you will be the leading purpose of our use of your data. Our mobile app offers the following features, where you can request actions from us, where we will need information by you:



  • If you register for using the app: user data such as your name, your email address, your postal address, information about your health (for example blood sugar level, cholesterine level, vitamin level), your test results, information about your individual coaching.
  • While you are using the app: tracking data about your use of the app - this information will be alienated (pseudonymized) and will only be analysed in an anonymous way.
  • If a software problem occurs while using the app: so called “crash logs” which are used by the company to identify and resolve the software problem.
  • If you use our web online shop (forward from the app to external shop website), for example to purchase a test kit: your name, your postal address, your email address.
  1. Which data are used for which purpose?

 

The purposes for processing personal data can be found in technical, contractual, and obligations by law, as well as your consent.

 

We use the data listed above in sec. 2 for the following purposes:

 

  •    provision of our mobile app including measures to assure a undisturbed service, prevent fraud and hacking and to ensure the security of our systems.
  •    for user registration and creating a user account with our platform and for the online coaching
  •    to provide the functionality of so called “push notifications” for the app user (can be deactivated by the user at any time)
  •    to measure the user behaviour and the reach of the mobile app in order to improve the app, provide a better user experience and to conduct market research
  •    to analyse and remedy software problems
  •    for communication purposes, customer maintenance and intensive customer care as well as preparation to enter contract;
  •    to forward the user to our online web shop and fulfilment according to our online shop terms of services (https://www.lykon.co.uk/pages/terms-and-conditions)

 

You can find further information about each used feature as well as the underlying purposes in the following sections.

 

3.1 Technical provision of the mobile app

3.1.1 Description and extent of the processing

For the provision of our mobile app, including regular performance and security checks, server log files are stored as part of the information when our mobile app is accessed. These log files contain the information and possibly personal data as indicated in section 2 above. Log files are used for the purposes of technical provision only and they are not merged with any other data. Part of the technical provision is a regular reviewing procedure that is designed to detect fraud, hacking and other forms of disruptive behavior.

 

Furthermore crash logs will be sent to the company in case of acute software problems. The crash logs usually do not contain personal data and will be used during analysis and remedy of the software problems. They will only be used internally and will be deleted afterwards.

 

3.1.2 Purposes and legal basis for the use of personal data

The legal basis for the use of server log files and crash log files is to be found in Art. 6 sec. 1 lit. f GDPR. Our interest is the undisturbed, resilient and performant operation of our mobile app. Given the minor effect on the data subject due to the limited amount of data used, our interest prevails.   

 

3.1.3 Duration of storage

After accessing on our mobile app we store the server log files, including your IP address, for 7 days . Any analyses of these data are conducted only in case of a disruptive event involving these data.

The crash log files will be stored separate from the user data and the server logs. They will be deleted after resolving the software problem.

3.1.4 Right to object

You are entitled to object the use of your personal data pursuant to Art. 21 GDPR on grounds that relate to your particular situation. If you want to exercise that right contact the Data Protection Officer via the means of contact indicated in section 1 above.

 

3.2 Contact via E-Mail

3.2.1 Description and extent of the processing

On our mobile app you are offered means to get in contact with us. An email address is provided to you inside the mobile app. The email client of your mobile device is being used to create and send the mail to the company. If you use this way of contacting the company, data affiliated with that means respectively (e.g. your Email address where you use the contact form) and of course your request will be recorded, so that we can provide you with a solution. The same applies for your query; if you use one of that means to address some question to us, we will store and use that request in a form that is linked to you as long as we need it to process it properly. Where this is necessary, some or all of the data collected under this clause can be transmitted to other entities, provided we need their support to answer your request. In that situation we ensure that the recipient has implemented a proper level of protection as well.

 

3.2.2 Purposes and legal basis for the use of personal data

The legal basis for using data in this regard is to be found in Art. 6 sec. 1 lit. f GDPR. Our shared interest is that you receive an adequate answer. Hence, for the time necessary for this endeavor, there is no overriding interest that prevails and excludes the data processing. Where your contact is directed towards the conclusion of a contract, the processing is based on Art. 6 sec. 1 lit. b GDPR instead.



3.2.3 Duration of storage

After responding to your request and the end of possibly further communication, your information provided for the purpose of the query will be erased unless your query was directed towards the conclusion of a contract or where you contacted us in order to exercise one of your data subjects rights. In that situation we will keep records as long as necessary for the performance of a contract or as long as we have to demonstrate our compliance with your request for your rights.

For contracts the storage period is usually 10 years according to German tax laws and 6 years according to German commercial laws.

 

3.2.4 Right to object

You are entitled to object the use of your personal data pursuant to Art. 21 GDPR on grounds that relate to your particular situation. If you want to exercise that right contact the Data Protection Officer via the means of contact indicated in section 1 above. Where you object the use of your data, we might not be able to respond to your request anymore, unless it is necessary for the performance of a contract or you want to exercise one of your rights.

 

3.3 Use of our Web shop

3.3.1 Description and extent of the processing

Our mobile app offers you a redirect to the online web shop, where you can purchase goods (for example test kits). The web shop is not part of the mobile app. You can also reach it directly by entering the shop URL into your browser (https://www.lykon.co.uk).

 

For the provision of that service, we collect personal data which are a. technically necessary (i.e. session cookies to uphold your shop cart) and b. necessary for the performance of the contract. Which of these are mandatory and which optional, is indicated in the respective data fields. For purposes of accounting and contract performance, all or parts of your data can be transmitted to third parties, who support us during our tasks. Moreover, we might use service providers for performing our duties. Such service providers will be involved by a strict contract obliging them to adhere to data protection.

To prevent fraud and similar crimes, all traffic on our mobile app and especially the login restricted user parts and our payment mask(s) are encrypted.

 

3.3.2 Purposes and legal basis for the use of personal data

Use of data for the purposes of any sales are based on the performance of that contract pursuant to Art. 6 sec. 1 lit. b GDPR.

 

3.3.3 Duration of storage

For reasons of tax and commercial law compliance we have to store data which concern the performance of a contract by us, including payment information, for up to 10 years. However, for this time of retention and two years after your purchase, the data remain specifically stored in an access restricted space, so that they cannot be processed for any purpose other than tax and trade law compliance.



3.3.4 Right to object

Processing of personal data is required for the performance of our contract. Hence, there is no possibility for you to object, save civil law measures of contract law.

 

3.4 Use of our mobile app (Registration questionaire, daily protocol, analysis, online coaching)

3.4.1 Description and extent of the processing

When using our mobile app you have to answer a number of questions concerning your person, your nutrition habits, physical fitness and your lifestyle in general. The answers to these questions provide an individual configuration of the user experience.

 

Within the app you can access your profile and test data using your mobile device. You can also enter individual data on nutrition, fitness and lifestyle. These service aims at giving you individual recommendations and providing you with an insight into your health status. If you have sent sent in one our our testing kits beforehand you can also access the results via the mobile app.

 

3.4.2 Purposes and legal basis for the use of personal data

Use of data for the purposes of providing the services mentioned of that contract pursuant to Art. 6 sec. 1 lit. b GDPR.

 

3.4.3 Duration of storage

 

In general your data will be deleted if you cancel the contract or if you do not use our services actively for a period of time longer than 4 years.

 

For reasons of tax and commercial law compliance we have to store some data which concern the performance of a contract by us, including payment information, for up to 10 years. However, for this time of retention the data remain specifically stored in an access restricted space, so that they cannot be processed for any purpose other than tax and trade law compliance.

 

3.4.4 Right to object

Processing of personal data is required for the performance of our contract. Hence, there is no possibility for you to object, save civil law measures of contract law.



3.5 Newsletter

3.5.1 Description and extent of the processing

Our mobile app offers the possibility to subscribe to a free email newsletter. The data entered in the contact form will be collected by us, processed with involvement of data processors and used to provide you with the requested information. By subscription we will collect a consent and refer to our Data Protection Notice, where we provide further information how we process personal data. There is no transmission of your data to third parties. The only mandatory information for a subscription to our newsletter are a name (so we can address it accordingly) and a valid Email-address. The so provided information will firstly be processed in order to verify the validity of the consented Email-address by means of an Opt-In. Additionally provided data are not mandatory.

 

Where you purchase any goods or services via our mobile app by indicating your Email address or use the settings within the app accordingly, this can be used in future to inform you by means of a newsletter, possibly by involvement of processors. Your data will not be transferred to any third parties.

 

Where the newsletter contains any Web-Beacons to measure and improve the success of such advertisement means, further information may be collected. Data collected that way are linked with the addressee of the respective newsletter in order to improve the presented products and develop a better understanding of our customers business needs.

 

3.5.2 Purposes and legal basis for the use of personal data

 

For the provision of the requested newsletter we will process your entered data accordingly. The legal basis for this is to be found in Art. 6 sec. 1 lit. a GDPR.

 

Where you purchase any goods through our mobile app and provide us with your email address, we can base advertisements and information for comparable or supplementary goods or services on Art. 6 sec. 1 lit. f GDPR. Our legitimate interest is to maintain a high level of customer care and a positive user experience.

 

3.5.3 Duration of storage

 

For the time of your subscription we will store the data needed for the provision of the newsletter. The data will be processed only for this purpose and in order to demonstrate to authorities that we have obtained a valid consent for this processing. Where you withdraw your consent, we will delete all data about you, unless they are needed to demonstrate that we have complied with your withdrawal.

 

For the time of your subscription we will store the data needed for the provision of the newsletter. The data will be stored for the time needed for contractual performance, to demonstrate our compliance with regulatory obligations or until you withdraw your consent.

 

You can object to any sort of tracking through beacons at any time by means of using the object feature within every newsletter email or by contacting us through our mobile app. The data will remain stored until you withdraw your consent and deletion is notwithstanding any regulatory obligations.

 

Where you deactivate pictures in your mail browser you might not be able to view all contents of our newsletter. In this situation some of the tracking features will be deactivated as well.



3.5.4 Right to object

 

You can unsubscribe from our newsletter at any time by using the unsubscribe button at the end of any newsletter or by sending an email with the subject “[Your email address] Unsubscribe [Name of the newsletter]” to support@lykon.com. You will get a confirmation mail for your revoked subscription.

 

To object to tracking, you can use the dedicated feature at the end of every email you receive or you can chose to opt-out permanently to this sort of tracking by using link the opt-out link provided or by contacting the company via email (support@lykon.com).

 

3.6 Tracking of user behaviour (not personalized)

Our mobile app uses features to measure and evaluate user behavior and interaction. These features will utilize your access data (see section 2 above) and analyze your interactions with our mobile app by means of a technical ID of your mobile device (see section 2 above).

 

This kind of analysis does usually not require personal data. Your IP address will therefore not be used at all or be shortened for the last octet what leads to anonymous user profiles which will not be combined with other data we store. Identifiable user profiles will only be created if you have consented to it.

 

Web tracking is usually conducted by involvement of external providers (Processors). With such processors we have concluded data processing agreements; contracts, which strictly bind them to our instructions and oblige them to process the collected data on our behalf and in a substantially limited way only.

 

Where such a Processor is established outside of the EU, there might occur a so-called third country transfer. This is lawful, if the Processor offers an adequate level of data protection, which can be achieved by different means (additional safeguards). We ensure that every Processor provides at the time of his involvement such a level. Which additional safeguard is applicable respectively, is indicated below.

 

3.6.1 Google Analytics for Firebase

This mobile app uses Google Analytics (GA) for Firebase. Provider of GA is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. GA is configured in a way that it  only creates pseudonymous user profiles, which cannot identify you as a person. These non-personal user profiles will be subject to analysis and evaluation. Google is contractually obliged not to merge these profiles with any data they might possibly hold from other instances.

 

Any occurring third country transfer is covered by Google’s certification under the US-EU Privacy Shield, which ensures that Google adheres to European standards of data protection.

 

You can find more information about the data processing by Google, including GA, in Google’s Data Protection Statement: https://www.google.com/analytics/terms/en.html

 

3.6.2 Purposes and legal basis:

The legal basis for the creation and utilization of pseudonymous user profiles Art. 6 sec. 1 lit. f – the legitimate interest. Our legitimate interest in creating such profiles is to increase the success of our mobile app, measure its geographical scope and develop a better understanding of our audience. Where user profiles are capable of identifying a natural person, the legal basis is the consent of that person, Art. 6 sec. 1 lit. a, otherwise such profiles will not be created.

3.6.3 Duration of storage:

Data collected by use of web tracking tools will be stored in pseudonymous form. You can object the collection with effect for the future. The maximum duration of storage is 14 months. Where profiles do identify a natural person the duration of storage is determined by the continued existence of a valid consent. After withdrawal the data will be deleted or anonymized.

3.6.4 Right to object:

You can object to the use of web tracking tools and their collection of personal data by adjusting your mobile device settings accordingly. Please go to the settings section of your mobile device OS and deactivate the use of the “Google Ad Id”.

 

  1. Who gets my data?

Within our company only those departments will have access to your data who need them in order to fulfil the purposes (see section 3 above). This applies accordingly to any involved Processors, if any, who might process data on our behalf (e.g. hosting and operations, mail delivery, etc.). All our Processors are contractually bound to our instructions which adheres to the high standard of data protection set out under the GDPR.

Outside our company, to so-called third parties (e.g. advertisement consultants, lawyers, or other business providers), your data will be transferred only if this is mandatory from the law, based on a legal basis, or where you have consented. The following third parties can receive data about you, where one of these situations (legal obligation, legal basis or consent) applies:

 

  • Providers of web analysis tools, who process data for their own purposes and are not bound to our instructions as a Processor.
  • Providers of tools for measurement of performance and stability of the services
  • Providers of payment services
  • Public institutions, such as public prosecutor, police or other authorities who can demonstrate a legal entitlement to receive the data

 

For more information about third parties who might receive your data, if any, see Sec. 3 above.

 

  1. Are my data transferred outside of the EU (Third country transfer)?

Where any of the providers indicated in section 5 above are located outside the EU/EEA this might lead to the result that your data are processed in a country that does not maintain a level of data protection similar or equal to the one within the EU. Therefore such a level of data protection must be established by the data exporter (this is us for our mobile app) by means of additional safeguards, which raise the level of data protection of the data importer. Additional safeguards can be an official adequacy decision by the European Commission, additional contractual clauses, also issued by the Commission, or a certification under a mechanism that is approved by the Commission (such as the US-EU Privacy Shield for the USA). You can request a copy of the applied additional safeguards by using our contacts from Sec. 1 above.

The following providers are processing your data outside the EU/EEA under application of the following additional safeguards:

 

  •    For the provision of our mobile app we use hosting providers who will host our mobile app backend on their servers outside the EU or accessible from outside the EU. With those hosting providers we have concluded Standard Contractual Clauses, approved by the European Commission.
  •    For providers of tools for web tracking, newsletter delivery, push notifications we use service providers who will provide there services outside the EU/EEA or who are able to access their servers from outside the EU/EEA With those service providers we have concluded Standard Contractual Clauses, approved by the European Commission or they are certified under the EU-US privacy shield.  

 

  1. What are my rights?

You have all rights under Chapter III of the GDPR. They can be exercised towards every Controller handling your data. These rights are:

  •    Right to access: You can request information about all data stored about you and how they are processed by the accountable Controller.
  •    Rectification: You can request rectification, where data concerning you are wrong or outdated.
  •    Erasure and to be forgotten: You can request that the Controller deletes your data. Where a deletion is conducted, the Controller shall inform any recipient about that to whom the data have been disclosed (Right to be forgotten).
  •    Restriction: You can request a restriction of the data for the reasons set out by GDPR.
  •    Data Portability: Where the conditions of the law are met, you can request to receive a copy of your data in a structured, machine readable and commonly used format.
  •    Object: You can object the processing of your data for reasons that relate to your particular situation, if the processing is based on Art. 6 sec. 1 lit. f – legitimate interests – GDPR.

If you have given us your consent for the processing of your data, you can at any time withdraw this consent with effect for the future. Please address your withdrawal to the attention of our Data Protection Officer indicated in Sec. 1 above.

Additionally, you are entitled to lodge a complaint with the supervisory authority competent for us

 

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstr. 219

10969 Berlin

Germany

 

or with the one competent for you, which will forward your request to the competent authority.

  1. From where are my data collected?

All personal information of yours processed by the app is collected directly from you.

  1. Is there any automated decision-making (including profiling)?

For the purposes indicated in Section 4 above, we do not use automated decision making (including profiling)

  1. Final information / Version

This mobile app is subject to constant improvement and change. This may affect the herein given information about any processing of personal data. The information given reflect the “as-is” situation on 22.11.2018.




Trustpilot