Information on data protection for users of the active365 app

General information

1. Contact details

If you have any questions or comments regarding this information or wish to contact us to assert your rights, please address your query to:

eTherapists GmbH | TELUS Health
Invalidenstr. 117, 10115 Berlin (Germany)
Email: dataprivacy.support@active365.app

2. Lawful basis

The term 'personal data' used in data protection law refers to all information relating to an identified or identifiable person. We process personal data in compliance with the applicable data protection provisions, in particular the GDPR and BDSG. We only process data on the basis of legal permission. We only process personal data with your consent (Art. 6 para. 1 (a) GDPR), to perform a contract to which you are a contracting party or to take steps at your request prior to entering into the contract (Art. 6 para. 1 (b) GDPR), to comply with a legal obligation (Art. 6 para. 1 (c) GDPR), or if processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 para. 1 (f) GDPR).

3. Duration of storage

Unless indicated otherwise by the following information, we only store data for as long as required to fulfil the purpose of processing or to meet our contractual or statutory obligations. Such statutory retention obligations can arise in particular under commercial and tax law. From the end of the calendar year in which the data was gathered, we will store personal data contained in our accounting records for ten years and personal data contained in commercial correspondence and contracts for six years. In all other respects we will store data relating to verifiable consents and complaints and claims for the duration of the statutory limitation periods. We will erase data which we process on the basis of your consent when you object to processing for this purpose.

4. Categories of data recipients

We use processors to help us process your data. Processing operations carried out by such processors include, for example, hosting, email delivery, maintenance and support of IT systems, customer and order management, order processing, accounting and settlement, marketing measures, and document and data carrier destruction. A processor is a natural person or legal entity, public authority, agency or other body that processes personal data on behalf of the controller responsible for data processing. Processors do not use the data for their own purposes but process the data only on behalf of us as the controller, and are contractually obliged to implement appropriate technical and organisational measures to ensure that data protection is guaranteed. If applicable, we may also transmit your personal data to bodies such as the postal and delivery service, principal bank, tax / auditing company or finance administration. Other recipients may be indicated by the following information.

5. Transmission of data to third countries

Our data processing activities may involve the transmission of specific personal data to third countries, i.e. countries where the GDPR is not part of the applicable laws. Such a transmission takes place lawfully if the European Commission has found that an adequate level of data protection is ensured in such a third country. Adequacy decisions have been issued for the following countries.
For the transmission of data to the USA, the adequacy decision applies to companies that are certified under the Privacy Framework and who are included in this list.  

If the European Commission has not issued an adequacy decision, personal data will be transmitted to a third country only if appropriate safeguards have been provided pursuant to Art. 46 GDPR or if the conditions of Art. 49 GDPR have been met.

If there is no adequacy decision and nothing to the contrary is stated below, we use the EU's Standard Contractual Clauses (SCCs) as appropriate data protection safeguards for the transmission of personal data to third countries. If you wish to receive or view a copy of these EU Standard Contractual Clauses, please contact the address provided above.

If you consent to the transfer of personal data to third countries, transmission will take place on the lawful basis of Art. 49 para. 1 (a) GDPR.

6. Processing when you exercise your rights

If you exercise your rights in accordance with Arts. 15 to 22 GDPR, we will process the transmitted personal data for the purpose of implementing these rights and in order to provide proof that we have done so. Data stored for the purpose of providing and preparing information will be processed only for this purpose and for the purpose of monitoring data protection; we will restrict its processing for any other purposes.

The lawful basis for such processing is provided by Art. 6 para. 1 (c) GDPR in conjunction with Art. 15 to 22 GDPR and §34 para. 2 BDSG.

7. Your rights

As a data subject you are entitled to assert data subject rights against us. You have the following rights in particular:

• Under Art. 15 GDPR and §34 BDSG you have the right to obtain confirmation as to whether or not and to what extent personal data concerning you is being processed. You can assert your right to information in the app under 'Account', 'Manage account', 'Request data'.
• You have the right under Art. 16 GDPR to obtain from us the rectification of your data.
• You have the right under Art. 17 GDPR and §35 BDSG to obtain from us the erasure of your personal data. You can assert your right to erasure in the app under 'Account', 'Manage account', 'Delete account'.
• You have the right under Art. 18 GDPR to request us to restrict the processing of your personal data.
• You have the right under Art. 20 GDPR to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format and the right to transmit this data to another controller.
• If you have consented separately to the processing of your data, you may withdraw this consent at any time in accordance with Art. 7 para. 3 GDPR. Such a withdrawal of consent shall not affect the lawfulness of the processing based on that consent prior to its withdrawal.
• If you believe that the processing of your personal data breaches the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority under Art. 77 GDPR.

8. Right of objection

Under Art. 21 para. 1 GDPR you have the right to object, on grounds relating to your particular situation, to processing of your personal data which is lawfully based on Art. 6 para. 1 (e) or (f). Where we process your personal data for direct marketing purposes, you can object to this processing pursuant to Art. 21 paras. 2 and 3 GDPR.

9. Data protection officer

The contact details of the data protection officer are:

Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg (Germany)
Email: datenschutz@e-therapists.de
www.datenschutzkanzlei.de

Data processing while using active365

1. Processing of personal data – overview

Personal data is defined as all information relating to an identified or identifiable person. This includes information that makes it possible to identify you directly, such as your name or photo, as well as facts that can indirectly reveal information about you, such as details of your body, impairments or complaints, information about your leisure activities, and data which you provide for quality improvement purposes while using the app.

Personal data also includes information that is provided under a pseudonym, without disclosing your name. Data protection law generally also classifies the IP address as an item of personal data. An IP address is allocated by the internet provider to each device connected to the internet so that it can send and receive data. Health data is personal data that directly or indirectly provides information about the health of a person. Such data includes information about your physical well-being / complaints or about your mental / psychological health. Health data falls into the special categories of personal data that are subject to a particularly high level of protection.

When using active365, we capture information that you yourself provide. We also automatically capture information relating to your use of the app. The following describes in detail what data related to you we process, and for what purposes.

2. Cookies and comparable technologies

In our app, we use cookies and comparable technologies ('cookies'). Cookies are small sets of data that are stored on your device when you use our app.

a. Cookies used in the app

Some cookies are technically required for the operation of our app and are therefore permitted without your consent. In other respects, we would like to use cookies to enable us to offer certain functions and to analyse our app and its use. That may also include third party cookies. You can find more information about this in this privacy policy. Cookies that are not technically required are used only with your consent pursuant to §25 para. 1 of the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, 'TDDDG') and Art. 6 para. 1 (a) GDPR, where applicable

You can adjust the selection of cookies and withdraw your consent at any time. You can find this option in the app under Menu, 'Account', 'Manage opt-ins'.

b. Consent management tool

We use the Usercentrics consent management tool of Usercentrics GmbH (Germany / EU) to manage cookies and personal data.

The consent banner allows users of our app to consent or withdraw previously given consent to specific data processing activities. By clicking on the 'I accept' button or storing individual cookie settings, you agree to the use of the relevant cookies.

Your consent pursuant to Art. 6 para. 1 (a) GDPR provides the required lawful basis under data protection law.

The banner also helps us to provide proof that you have given your consent. To this end we process information about the declaration of consent and other log data relating to this declaration. Cookies are also used to collect this data. This data must be processed in order to prove that consent has been given. The lawful basis is provided by our legal obligation to record your consent (Art. 6 para. 1 (c) GDPR in conjunction with Art. 7 para. 1 GDPR).

3. Downloading the app

When downloading the app, certain required information is processed by the app store selected by you (Google Play or Apple App Store). During this process, in particular information such as the user name, email address, client number of your account, time of the download and the individual device number may be processed. This data is processed exclusively by the provider of the app store in question and lies outside our sphere of influence.

4. Registration and installation of an active365 app user account

You have to set up an active365 user account if you wish to benefit from our active365 offers and services. When you register we usually record your email address, password and IP address. The login data which you enter to use the active365 offers is stored on European servers of the service provider mandated by eTherapists GmbH.

When setting up your user account you can decide how you want to register. We offer the following options for registering your user account:

a. Setting up a user account with an email address

You can set up your user account and access the active365 offers and services by using an email address.

b. Setting up a user account with a Google account

If you choose to sign in using Google, your email address and first name will be transmitted to us from your Google user account. This data is used by us only for the purpose of login and registration. However, the log-in service also allows Google to record when and how you logged in to active365. No information is passed on regarding your use of the contents or services.

c. Setting up a user account using 'Sign in with Apple'

When you use 'Sign in with Apple' you can decide for yourself whether your email address linked to your Apple ID or a private relay address (alias) is transmitted to us. The private relay address automatically forwards all emails from us to the email address linked to your Apple ID. You can find more information about 'Sign in with Apple'. We do not forward any information to Apple about your use of the contents or services provided by active365.

The data is processed in order to provide a service pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR.

5. Data processing during use

a. Automatic processing of personal data while using the app

When you use our app we collect the following data that is required technically to provide the functions of our app and to ensure its stability and security.

• IP address
• Date and time of query
• Time zone difference to coordinated universal time (UTC)
• Content of query (specific page)
• Access status / HTTP status code
• Volume of data transmitted
• User agent of app
• Operating system and its user interface
• Language and version of app

Art. 6 para. 1 (f) GDPR constitutes the lawful basis for the processing of this data, which serves our legitimate interest in ensuring the security and stability of our app.

The infrastructure is hosted on the servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg / EU). AWS is the processor and may only process the data in accordance with our instructions. The transmission of your personal data to the USA cannot be excluded in relation to the service provided by AWS. In this regard, please refer to the section on 'Transmission of data to third countries'. To analyse access and ensure data security, we also use the New Relic service provided by New Relic, Inc. (USA), which in its capacity as processor processes the data solely in accordance with instructions. This means that the transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

b. User profile and content data

We process the data which you provide to us in your user profile and which we collect and process during the use of the app. This includes the information provided in your user profile, e.g. weight, movement data or dietary habits (only if you provide this information to us voluntarily), user behaviour and sometimes also access rights to your smartphone (e.g. when you want to upload a profile photo). The data is processed in order to provide our service to you pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR.

We store the user profiles and the data collected during use of the app in CleverTap, a service offered by WizRocket Inc. (USA), which as processor is contractually obliged to process the data solely in accordance with our instructions.

Personalised optionCleverTap enables us to analyse data in order to deliver push notifications based on user behaviour and to adjust the contents of mailshots. Data is processed for this purpose, and personalised notifications are sent to you only if you have provided your consent. The lawful basis is provided by Art. 6 para. 1 (a) GDPR. The lawful basis for accessing your end device is provided by §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Settings', 'Personalisation'.

Non-personalised option
CleverTap enables us to send push notifications to motivate you as the user. Your usage is not analysed for this purpose. The lawful basis for the display of notifications is our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR in structured user management and motivating messages for our users.

The use of CleverTap means that the transmission of data to the USA cannot be excluded. Please refer to the section on 'Transmission of data to third countries'.

c. Health data

When you make use of our offer, health data is required to be processed in accordance with Art. 9 para. 1 GDPR. This data must be processed in order for us to provide our service. Health data is processed exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. If you do not give your consent, we cannot provide the service offered. You may withdraw or change your consent at any time in the app by going to Menu 'Account', 'Manage opt-ins'. Please note that you will no longer be able to use our service if you withdraw your consent. The use of our offer is voluntary.

d. Anonymisation

We reserve the right to anonymise your personal data before using it for evaluation and optimisation purposes. Your data will be anonymised on the basis of the consent given to us when you registered. The lawful basis is provided by Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. You may withdraw or change your consent at any time in the app by going to Menu 'Account', 'Settings'. Please note that you will no longer be able to use our service if you withdraw your consent. The use of our offer is voluntary.

e. Use of activity information relating to linked accounts and third-party providers

You can import activity information from other platforms into your active365 app. You must explicitly express your agreement on these platforms that you wish to link these platforms to your user account in order to import this data. You can also determine yourself which data should be imported.

You can link the following providers / platforms to your active365 user account:

f. Apple Health app

With an Apple product you can capture activity and health data or import such data from different apps into the Apple Health app. You must explicitly agree to share this data with active365 and permit active365 to export data to Apple Health. You may change the permission at any time. Data is exchanged exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. You provide this consent to Apple and may withdraw it at any time.

g. Google Fit app

With an Android device you can capture activity and health data or import such data from different apps into the Google Fit app. You must explicitly agree to share this data with active365 and permit active365 to export data to Google Fit. You may withdraw the permission at any time. The use of active365 and the transmission of information to other applications which we receive from Google APIs are governed by the Google API Services User Data Policy, including the conditions for limited use. The app requests relevant permission for the following purposes:

• Permission: Information about 'fitness location'
  Purpose: To capture your data for step, running and cycling challenges. We cannot (and do not) request your location in this case.
• Permission: Information about 'fitness activity'
  Purpose: This enables us to differentiate between various activity types, to request the relevant information (steps, running, cycling, HeartPoints) and to use it for challenges and training minutes for the 'Weekly progress'.
• Permission: Information about 'body fitness'
  Purpose: This enables us to receive information about your height and weight and to include steps, distances and your personal health statistics in your profile.

You may change the permission at any time. Data is exchanged exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. You provide this consent to Google and may withdraw it at any time.

h. Thryve Health SDK

Thryve, a service offered by mHealth Pioneers GmbH (Germany / EU) allows you to link to and import activity data from different sources. These include the manufacturers of Garmin, Fitbit, Polar, Withings and others, as well as your mobile phone and smartwatch sensors.

After you have given your explicit consent to the sharing of your data, which is to be processed by your manufacturer or requested by your mobile phone or smartwatch, we receive only a key from mHealth Pioneers GmbH to enable us to clearly allocate this data to your profile. You can define the scope of the data for each manufacturer. We do not receive any further profile information such as the email address used for your user account with the manufacturer of your fitness tracker. Data is exchanged exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. This consent provided to the manufacturer may be withdrawn at any time.

i. Advice from health experts and support

active365 offers you the option of contacting one of our health experts or support staff by email. Requesting advice from our health experts is voluntary. If you request one-to-one advice from a health expert, that health expert may view the health data which you have stored in active365. When you make use of our customer support service, our support staff may access data relating to your user account in order to help you. The data is processed in order to provide a service pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR. Your health data is processed on the basis of the consent given to us when you registered. The lawful basis is provided by Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. We use the Freshdesk tool provided by Freshworks Inc. (USA) for communicating with our experts. This means that the transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

j. Transactional emails, notifications and product updates

We regularly send you emails regarding the functions of and updates to our product. We also send transactional and notification emails. These do not constitute promotional communications, but simply provide information about your account or our product. In this context, personal data such as your name and email address is processed. The emails are sent based on our legitimate interest in providing information about existing and new service offers and in the technical maintenance of our offers. The lawful basis is provided by Art. 6 para. 1 (f) GDPR. You may object to receiving product updates by clicking on the 'unsubscribe' link in the email. These emails are sent using the Sendgrid service provided by Twilio Ireland Limited, a subsidiary of Twilio Inc. (USA). This means that the transmission of data to the USA is not excluded. Twilio has its own binding corporate rules on data protection that were approved by the supervisory authority and guarantee an adequate level of data protection.

We also analyse the reading habits and open rates for our product updates. In this context, we collect and process pseudonymised user data, but we do not link this data to your email address or IP address. Art. 6 para. 1 (f) GDPR constitutes the lawful basis for the analysis of our updates, and the processing serves our legitimate interest in optimising our updates. You may object to this processing at any time by contacting one of the aforementioned channels.

k. Personalisation (Google Analytics for Firebase)

In our app we use the Google Analytics for Firebase service provided by Google Ireland Limited (Ireland / EU). Google Analytics for Firebase is a function offered by the Google Firebase development platform. Google Analytics is an analysis service that allows us to collect and analyse data relating to the behaviour of the users of our app in order to compile reports on the activities within our app. In this context, personal data such as online identifiers, IP addresses, device identifiers and information about users' interaction with our app is processed. You can find more information about data gathering in Google Analytics. The data is transmitted to Google Ireland, and Google processes the data exclusively on our behalf.Some of this data is information that is stored on the end device used by you. In addition, Google Analytics sometimes also stores other information on the end device used by you. Google Analytics stores such information and accesses information already stored on your end device only with your consent. Art. 6 para. 1 (a) GDPR constitutes the lawful basis for the processing of data in relation to the Google Analytics service. The lawful basis for accessing your end device is provided by §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Manage opt-ins', 'App customization and marketing'.

Google Analytics stores certain advertiser identifier data for 60 days and creates aggregated reports in a non-automated process. Data at the user level, including conversions, is stored for up to 14 months. All other event data is stored for two months. The transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

l. Quality improvement (Google Crashlytics)

In our app we use the Firebase Crashlytics service provided by Google Ireland Limited (Ireland / EU). Firebase Crashlytics is a function offered by the Google Firebase development platform. Firebase Crashlytics is a crash reporting service that helps us to improve the stability and reliability of our app. Various data is compiled in crash reports and sent to us. To this end, the data is transmitted to Google Ireland, and Google processes the data exclusively on our behalf.

Some of this data is information that is stored on the end device used by you. Information already stored on your end device is accessed only with your consent. The lawful basis for accessing the end device is provided by §25 para. 1 TDDDG. Where personal data is processed, the lawful basis is provided by Art. 6 para. 1 (a) GDPR.

Crash reports are sent only with your explicit consent. If you use an iOS app, you can give your consent in the app settings or after a crash. If you use an Android app, you can provide general consent to the delivery of crash notifications to Google and the app developer when setting up your mobile end device.

You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Manage opt-ins', 'Improve app quality'.

This data is stored for a maximum of 90 days. The transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

m. Measurement of reach (Adjust)

In our app we use the Adjust service provided by Adjust GmbH (Germany / EU).

Adjust is an analysis and attribution service that allows us to collect and analyse data via the installation channels of our app, measure the success of marketing measures, allocate user behaviour to specific campaigns, and better understand interactions within the app. In this context, personal data such as online identifiers, IP addresses, device identifiers (user agents), mobile identifiers (e.g. Apple's IDFA, Google Advertising ID), the date of installation of the app, information about viewed or clicked advertisements, and information exchanged with our app is processed. You can find more information about the capture of data in Adjust. The data is transmitted to Adjust, and Adjust processes the data exclusively on our behalf.

Some of this data is information that is stored on the end device used by you. Adjust sometimes also stores other information on the end device used by you. Adjust stores such information and accesses information already stored on your end device only with your consent. Art. 6 para. 1 (a) GDPR constitutes the lawful basis for the processing of data in relation to the Adjust service. The lawful basis for accessing your end device is provided by §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Settings', 'Personalisation'.

Adjust stores certain advertiser identifier data for 60 days and creates aggregated reports in a non-automated process. Data at the user level, including conversions, is stored for up to 14 months. All other event data is stored for 2 months.

The transmission of data to countries outside of the European Union cannot be excluded. Adjust applies appropriate legal mechanisms – such as adequacy decisions by the EU Commission or standard contractual clauses (SCCs) – to ensure that an adequate level of data protection is guaranteed. See also 'Transmission of data to third countries'.

n. Adobe Tracking (AEP)

In our app we use the Adobe Tracking (AEP) service provided by Adobe Systems Software Ireland Limited (Ireland, EU) to analyse the use of our app. In this context, personal data such as online identifiers (including cookie identifiers), IP addresses, device identifiers and information about the interaction with our website is processed on our behalf by Adobe Systems Software Ireland Limited. You can see a complete list of the processed data. We only use Adobe Tracking (AEP) with activated IP anonymisation. This means that the user's IP address is abbreviated by Adobe Systems Software Ireland Limited within the European Union and in other signatory states to the Agreement on the European Economic Area.

Your data is processed on the basis of your consent pursuant to Art. 6 para. 1 (a) GDPR.

Adobe sometimes uses information that is stored on your end device, or itself sometimes stores information on the end device used by you. Adobe stores such information and accesses information already stored on your end device only with your consent. The lawful basis for accessing your end device is provided by your consent pursuant to §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Manage opt-ins', 'Personalisation'.

You can find more information about data protection at Adobe Systems Software Ireland Limited in Adobe's privacy policy.

6. Other data processing within the active365 app

a. 1-on-1 video coaching

You can book a video conference with a professional coach. For this, access to the camera and microphone is required. Data processing takes place only when you use this function and it is generally required to provide the service, on the lawful basis of Art. 6 para. 1 (b) GDPR. Your health data is processed on the basis of the consent given to us when you registered. The lawful basis is provided by Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. The infrastructure is hosted on the servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg / EU). AWS is the processor and may only process the data in accordance with our instructions. The transmission of your personal data to the USA cannot be excluded in relation to the service provided by AWS. In this regard, please refer to the section on 'Transmission of data to third countries'.

7. Communication via email, phone, etc.

When contact is established with us (e.g. by email or phone), the data you provide to us, the details of the requesting party (e.g. first name, surname, address, phone number, email address) and the content of your message or notification are processed in order to react to and answer your query in accordance with Art. 6 para. 1 (b) GDPR. This is done to enable us to communicate with you and provide you with a satisfactory and conscientious answer and is based on our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR, if you have contacted us, for example by replying to your questions, processing your orders, or providing you with the required information. We use Google Workspace provided by Google Ireland Limited (Ireland / EU) for our internal communications. This means that the transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

8. Anonymisation and right to forward data to third parties

As the operator, we make the active365 app available to you on behalf of CSS Health Insurance Ltd.

Gemeinsam mit der CSS-Kranken-Versicherung AG möchten wir dich bei der Verbesserung deines Gesundheitszustandes unterstützen. Dir steht es frei, dich bei uns zu registrieren.

As the operator of the app, eTherapists GmbH sends your personal data to CSS Health insurance Ltd in the following cases. This is not done on a personalised basis, but under a pseudonymised hash value and your user ID.

• To verify that you are a CSS client so that you can use the app;
• To measure the success of advertising campaigns;
• To provide information about the collection of activePoints (but without details and the total number of activePoints).

Different amounts of activePoints are awarded when an activity is completed. If, as a verified user, you request payment of the collected activePoints in the app, eTherapists GmbH informs CSS Holding AG of the payment made for the purpose of settlement and invoicing, and forwards the following data for the purpose of evaluation and further development of the app:

• Pseudonymised user ID
• Number of collected activePoints
• Analysis of user behaviour in pseudonymised form

In addition, your data may be used to prepare a totally anonymous health report for CSS Health Insurance Ltd. For example, these health reports provide information on how many people insured with CSS Health Insurance use the app, which content is the most popular, and what health improvements may have been achieved through the app. The anonymity of the content is ensured by our only preparing reports when more than 15 people use the app. It is not possible to come to any conclusions about your personal state of health based on the use of the app and our services.

We, eTherapists GmbH, remain authorised to forward or disclose user data if this is necessary for compliance with applicable laws and regulations, for internal and external audits, financial controlling, court proceedings, on request of the competent courts and authorities, or for other reasons in order to protect and defend our rights and your property.

9. Using our services from Switzerland

If you live within the scope of application of Switzerland's Federal Act on Data Protection, the provisions of the Federal Act on Data Protection ('DSG') shall apply. This applies in particular to the data subject rights pursuant to Arts. 25-29, 32 DSG. In all other respects the provisions of the GDPR and BDSG are declared applicable on a supplementary basis, i.e. the relevant data protection laws apply.

Data is also processed in the following countries outside of Switzerland:

• Federal Republic of Germany
• United States of America (USA)

We guarantee an appropriate level of data protection. This is ensured by: a recognised adequate level of data protection pursuant to Art. 16 para. 1 DSG for the receiving country; standard contractual clauses approved, issued or recognised in advance by the Federal Data Protection and Information Commissioner (FDPIC), in particular the Standard Contractual Clauses of the European Commission; an international treaty regulating an appropriate level of data protection.

As at: [1.6.2.CSS, 24.01.2025; CSS branded]
Last Updated: May 2026