Information on data protection for users of the active365 app

As a user of our active365 app, this privacy policy informs you about how we handle your personal data and about your rights under the European General Data Protection Regulation ('GDPR'), the German Federal Data Protection Act (Bundesdatenschutzgesetz, 'BDSG') and the Swiss Data Protection Act (Datenschutzgesetz 'DSG'). eTherapists GmbH (hereinafter referred to as 'we' or 'us') is responsible for the processing of your data.

General information

1. Contact details

If you have any questions or comments regarding this information or wish to contact us to assert your rights, please address your query to:

eTherapists GmbH | TELUS Health
Invalidenstr. 117, 10115 Berlin (Germany)
Email: dataprivacy.support@active365.app

2. Our processing of personal data

The term 'personal data' used in data protection law refers to all information relating to an identified or identifiable person. We process personal data in compliance with the applicable data protection provisions.

You may also sometimes disclose data to us about other persons (e.g. support requests). We will assume that you are authorised to do this and that the data is correct. Please inform these persons of our processing of their data (e.g. by referring them to this privacy policy).

You are not obliged to disclose any data to us. However, without certain data, the app or some of its functions cannot be used (e.g. no payments without IBAN, no activePoints for sports activities if not linked to a tracker).

3. Lawful basis

We only process data on the basis of legal permission where the applicable laws – such as the GDPR and the BDSG – require such permission. In this case, we only process personal data with your consent (Art. 6 para. 1 (a) GDPR), to perform a contract to which you are a contracting party or to take steps at your request prior to entering into the contract (Art. 6 para. 1 (b) GDPR), to comply with a legal obligation (Art. 6 para. 1 (c) GDPR), or if processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 para. 1 (f) GDPR).

The app is available to persons aged 18 and over. Minors from the age of 16 may use the app if their legal representative provides a declaration of consent; the details are governed by the terms of use. If the consent of the legal representative is also required under the applicable laws (e.g. under Art. 8 GDPR and supplementary national provisions), we will collect this consent or request proof thereof.

4. Duration of storage

Unless indicated otherwise by the following information, we process your personal data for as long as required for the purpose of processing or by any statutory retention obligations, or if we have a legitimate interest in its further storage. After expiry of the relevant storage periods we will erase your data, but reserve the right to anonymise personal data and to continue to use it in anonymised form for evaluation and optimisation purposes:

  • Evidence (photo uploads, documents) that served as the basis for crediting or paying out activePoints: three years from transmission.
  • Vouchers: three years from issue (you are responsible for redeeming these in time).
  • Data relating to payments (eTherapists, CSS Holding AG and Creative Cloud AG): in accordance with the applicable retention periods – in Germany we store personal data contained in our accounting records for ten years from the end of the calendar year in which the data was gathered, while personal data contained in commercial correspondence and contracts is stored for six years. In addition, the financial intermediary stores data in accordance with their obligations under the applicable anti-money laundering legislation.
  • User account data: until your account is deleted by you or us. Please note that any deletion of the user account is irrevocable and will lead to the expiry of previously collected activePoints.
  • We will erase data which we process on the basis of your consent after a suitable implementation period if you object to processing for this purpose.
  • Other data: as long as required for the purpose of processing, as long as we have a legitimate interest in storing the data (e.g. to exercise legal claims, in particular with regard to current limitation periods or for safeguarding IT security) or as long as required by statutory retention obligations. We will store data relating to verifiable consents and complaints and claims for the duration of the statutory limitation periods.

5. Categories of data recipients

We use processors to help us process your data. Processing operations carried out by such processors include, for example, hosting, email delivery, maintenance and support of IT systems, customer and order management, order processing, accounting and settlement, marketing measures, and document and data carrier destruction. A processor is a natural person or legal entity, public authority, agency or other body that processes personal data on behalf of the controller responsible for data processing. Processors do not use the data for their own purposes but process the data only on behalf of us as the controller, and are contractually obliged to implement appropriate technical and organisational measures to ensure that data protection is guaranteed. If applicable, we may also transmit your personal data to bodies such as the postal and delivery service, principal bank, tax / auditing company or finance administration. Other recipients may be indicated by the following information (in particular section 5).

6. Transmission of data to third countries

Our data processing activities may involve the transmission of specific personal data to third countries, i.e. to countries where the GDPR or the Swiss DSG is not part of the applicable laws. Recipients of personal data may be located in the following countries in particular: Switzerland, the Federal Republic of Germany, the United States of America (USA). As these recipients may themselves use the services of processors and other service providers, personal data may also end up in other countries, potentially worldwide.

Such a transmission takes place lawfully if the competent body (in the EU: the European Commission; in Switzerland: the Federal Council) has found that an adequate level of data protection is ensured in such a third country. Adequacy decisions have been issued for the following countries (for Switzerland: Annex 1 to the Data Protection Ordinance). For the transmission of data to the USA, the adequacy decision applies to companies that are certified under the Privacy Framework and included in this list.

In the absence of an adequacy decision, personal data will be transmitted to a third country only if appropriate safeguards have been provided pursuant to Art. 46 GDPR or Art. 16 para. 2 DSG and we can act on the basis of a derogation provision (Art. 49 GDPR; Art. 17 DSG). An exception may apply in particular to legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires such disclosure, if you have given your consent, or if the data concerned has been made publicly available by you and you did not object to the processing of this data.

If there is no adequacy decision and nothing to the contrary is stated below, we use the EU's Standard Contractual Clauses (SCCs) as appropriate data protection safeguards for the transmission of personal data to third countries. If you wish to receive or view a copy of these EU Standard Contractual Clauses, please contact the address provided above.

If you consent to the transfer of personal data to third countries, transmission will take place on the lawful basis of Art. 49 para. 1 (a) GDPR.

7. Processing when you exercise your rights

If you exercise your rights in accordance with Arts. 15 to 22 GDPR, we will process the transmitted personal data for the purpose of implementing these rights and in order to provide proof that we have done so. Data stored for the purpose of providing and preparing information will be processed only for this purpose and for the purpose of monitoring data protection; we will restrict its processing for any other purposes.

The lawful basis for such processing is provided by Art. 6 para. 1 (c) GDPR in conjunction with Art. 15 to 22 GDPR and §34 para. 2 BDSG.

8. Your rights

As a data subject you are entitled to assert data subject rights against us. You have the following rights in particular under the laws that apply to our processing activities, subject to the appropriate restrictions and exceptions. Certain deviations apply under the Swiss DSG:

  • Under Art. 15 GDPR and §34 BDSG you have the right to obtain confirmation as to whether or not and to what extent personal data concerning you is being processed. You can assert your right to information in the app under 'Account', 'Manage account', 'Request data'.
  • You have the right under Art. 16 GDPR to obtain from us the rectification of your data.
  • You have the right under Art. 17 GDPR and §35 BDSG to obtain from us the erasure of your personal data. You can assert your right to erasure in the app under 'Account', 'Manage account', 'Delete account'.
  • You have the right under Art. 18 GDPR to request us to restrict the processing of your personal data.
  • You have the right under Art. 20 GDPR to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format and the right to transmit this data to another controller.
  • If you have consented separately to the processing of your data, you may withdraw this consent at any time in accordance with Art. 7 para. 3 GDPR. Such a withdrawal of consent shall not affect the lawfulness of the processing based on that consent prior to its withdrawal.
  • If you believe that the processing of your personal data breaches the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority under Art. 77 GDPR. The competent supervisory authority in Germany is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, mailbox@datenschutz-berlin.de. You may also contact a supervisory authority at the place where you live or work. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (EDÖB).

9. Right of objection

Under Art. 21 para. 1 GDPR you have the right to object, on grounds relating to your particular situation, to processing of your personal data which is lawfully based on Art. 6 para. 1 (e) or (f). Where we process your personal data for direct marketing purposes, you can object to this processing pursuant to Art. 21 paras. 2 and 3 GDPR.

10. Data protection officer

The contact details of the data protection officer are:

Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg (Germany)
Email: datenschutz@e-therapists.de
www.datenschutzkanzlei.de

Data processing while using active365

1. Processing of personal data – overview

Personal data is defined as all information relating to an identified or identifiable person. This includes information that makes it possible to identify you directly, such as your name or photo, as well as facts that can indirectly reveal information about you, such as details of your body, impairments or complaints, information about your leisure activities, and data which you provide for quality improvement purposes while using the app.

Personal data also includes information that is provided under a pseudonym, without disclosing your name. Data protection law generally also classifies the IP address as an item of personal data. An IP address is allocated by the internet provider to each device connected to the internet so that it can send and receive data. Health data is personal data that directly or indirectly provides information about the health of a person. Such data includes information about your physical well-being / complaints or about your mental / psychological health. Health data falls into the special categories of personal data that are subject to a particularly high level of protection.

When using active365, we capture information that you yourself provide. We also automatically capture information relating to your use of the app. The following describes in detail what data related to you we process, and for what purposes.

2. Cookies and comparable technologies

In our app, we use cookies and comparable technologies ('cookies'). Cookies are small sets of data that are stored on your device when you use our app.

a. Cookies used in the app

Some cookies are technically required for the operation of our app and are therefore permitted without your consent. In other respects, we would like to use cookies to enable us to offer certain functions and to analyse our app and its use. That may also include third party cookies. You can find more information about this in this privacy policy. Cookies that are not technically required are used only with your consent pursuant to §25 para. 1 of the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, 'TDDDG') and Art. 6 para. 1 (a) GDPR, where applicable

Information on the individual cookies at a glance
You can find information about the purposes, providers and storage period of individual cookies in the following table.
Cookie Provider Purpose Storage period
Crashlytics Google Ireland Limited (Ireland / EU) Improve the quality of the app – transmit crash information Until the app is reinstalled / deleted
Google Analytics for Firebase Google Ireland Limited (Ireland / EU) Personalisation – click tracking to adjust functions and content Until the app is reinstalled / deleted
Clevertap WizRocket Inc. (USA) Personalisation – click tracking to adjust functions and content Until the app is reinstalled / deleted
Adjust Adjust GmbH Measurement of app installations Until the app is reinstalled / deleted
Adobe Tracking (AEP) Adobe Systems Software Ireland Limited Measurement of app opening and verification Until the app is reinstalled / deleted

You can adjust the selection of cookies and withdraw your consent at any time. You can find this option in the app under Menu, 'Account', 'Manage opt-ins'.

3. Downloading the app

When downloading the app, certain required information is processed by the app store selected by you (Google Play or Apple App Store). During this process, in particular information such as the user name, email address, client number of your account, time of the download and the individual device number may be processed. This data is processed exclusively by the provider of the app store in question and lies outside our sphere of influence.

4. Registration and installation of an active365 app user account

You have to set up an active365 user account if you wish to benefit from our active365 offers and services. When you register we usually record your email address, password and IP address. The login data which you enter to use the active365 offers is stored on European servers of the service provider mandated by eTherapists GmbH.

When setting up your user account you can decide how you want to register. We offer the following options for registering your user account:

a. Setting up a user account with an email address

You can set up your user account and access the active365 offers and services by using an email address.

b. Setting up a user account with a Google account

If you choose to sign in using Google, your email address and first name will be transmitted to us from your Google user account. This data is used by us only for the purpose of login and registration. However, the log-in service also allows Google to record when and how you logged in to active365. No information is passed on regarding your use of the contents or services.

c. Setting up a user account using 'Sign in with Apple'

When you use 'Sign in with Apple' you can decide for yourself whether your email address linked to your Apple ID or a private relay address (alias) is transmitted to us. The private relay address automatically forwards all emails from us to the email address linked to your Apple ID. You can find more information about 'Sign in with Apple'. We do not forward any information to Apple about your use of the contents or services provided by active365.

The data is processed in order to provide a service pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR.

d. Confirmation as a verified user

If, as a verified user, you wish to have your activePoints paid out, you voluntarily provide your client number and date of birth. We match this information to pseudonymised hash values that we receive from CSS Health Insurance Ltd so as to check whether you have a current insurance relationship under the Federal Insurance Contract Act (VVG) with CSS Health Insurance Ltd. The data is processed in order to provide a service pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR.

5. Data processing during use

a. Automatic processing of personal data while using the app

When you use our app we collect the following data that is required technically to provide the functions of our app and to ensure its stability and security.

  • IP address
  • Date and time of query
  • Time zone difference to coordinated universal time (UTC)
  • Content of query (specific page)
  • Access status / HTTP status code
  • Volume of data transmitted
  • User agent of app
  • Operating system and its user interface
  • Language and version of app

We also process usage habits and interactions within the app, including the duration and frequency of sessions, language and country settings, search terms and results, and ratings provided.

Art. 6 para. 1 (f) GDPR constitutes the lawful basis for the processing of this data, which serves our legitimate interest in ensuring the security and stability of our app.

The infrastructure is hosted on the servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg / EU). AWS is the processor and may only process the data in accordance with our instructions. The transmission of your personal data to the USA cannot be excluded in relation to the service provided by AWS. In this regard, please refer to the section on 'Transmission of data to third countries'. To analyse access and ensure data security, we also use the New Relic service provided by New Relic, Inc. (USA), which in its capacity as processor processes the data solely in accordance with instructions. This means that the transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

b. User profile and content data

We process the data which you provide to us in your user profile and which we collect and process during the use of the app. This includes the information provided in your user profile, e.g. weight, movement data or dietary habits (only if you provide this information to us voluntarily), user behaviour and sometimes also access rights to your smartphone (e.g. when you want to upload a profile photo). The data is processed in order to provide our service to you pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR.

We store the user profiles and the data collected during use of the app in CleverTap, a service offered by WizRocket Inc. (USA), which as processor is contractually obliged to process the data solely in accordance with our instructions.

Personalised optionCleverTap enables us to analyse data in order to deliver push notifications based on user behaviour and to adjust the contents of mailshots. Data is processed for this purpose, and personalised notifications are sent to you only if you have provided your consent. The lawful basis is provided by Art. 6 para. 1 (a) GDPR. The lawful basis for accessing your end device is provided by §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Settings', 'Personalisation'.

Non-personalised option
CleverTap enables us to send push notifications to motivate you as the user. Your usage is not analysed for this purpose. The lawful basis for the display of notifications is our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR in structured user management and motivating messages for our users.

The use of CleverTap means that the transmission of data to the USA cannot be excluded. Please refer to the section on 'Transmission of data to third countries'.

c. Health data

When you make use of our offer, health data is required to be processed in accordance with Art. 9 para. 1 GDPR. This data must be processed in order for us to provide our service. Health data is processed exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. If you do not give your consent, we cannot provide the service offered. You may withdraw or change your consent at any time in the app by going to Menu 'Account', 'Manage opt-ins'. Please note that you will no longer be able to use our service if you withdraw your consent. The use of our offer is voluntary.

d. Anonymisation

We reserve the right to anonymise your personal data before using it for evaluation and optimisation purposes. Your data will be anonymised on the basis of the consent given to us when you registered. The lawful basis is provided by Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. You may withdraw or change your consent at any time in the app by going to Menu 'Account', 'Settings'. Please note that you will no longer be able to use our service if you withdraw your consent. The use of our offer is voluntary.

e. Use of activity information relating to linked accounts and third-party providers

You can import activity information from other platforms into your active365 app. You must explicitly express your agreement on these platforms that you wish to link these platforms to your user account in order to import this data. You can also determine yourself which data should be imported.

You can link the following providers / platforms to your active365 user account:

f. Apple Health app

With an Apple product you can capture activity and health data or import such data from different apps into the Apple Health app. You must explicitly agree to share this data with active365 and permit active365 to export data to Apple Health. You may change the permission at any time. Data is exchanged exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. You provide this consent to Apple and may withdraw it at any time.

g. Google Fit app

With an Android device you can capture activity and health data or import such data from different apps into the Google Fit app. You must explicitly agree to share this data with active365 and permit active365 to export data to Google Fit. You may withdraw the permission at any time. The use of active365 and the transmission of information to other applications which we receive from Google APIs are governed by the Google API Services User Data Policy, including the conditions for limited use. The app requests relevant permission for the following purposes:

  • Permission: Information about 'fitness location'
    Purpose: To capture your data for step, running and cycling challenges. We cannot (and do not) request your location in this case.
  • Permission: Information about 'fitness activity'
    Purpose: This enables us to differentiate between various activity types, to request the relevant information (steps, running, cycling, HeartPoints) and to use it for challenges and training minutes for the 'Weekly progress'.
  • Permission: Information about 'body fitness'
    Purpose: This enables us to receive information about your height and weight and to include steps, distances and your personal health statistics in your profile.

You may change the permission at any time. Data is exchanged exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. You provide this consent to Google and may withdraw it at any time.

h. Thryve Health SDK

Thryve, a service offered by mHealth Pioneers GmbH (Germany / EU) allows you to link to and import activity data from different sources. These include the manufacturers of Garmin, Fitbit, Polar, Withings and others, as well as your mobile phone and smartwatch sensors.

After you have given your explicit consent to the sharing of your data, which is to be processed by your manufacturer or requested by your mobile phone or smartwatch, we receive only a key from mHealth Pioneers GmbH to enable us to clearly allocate this data to your profile. You can define the scope of the data for each manufacturer. We do not receive any further profile information such as the email address used for your user account with the manufacturer of your fitness tracker. Data is exchanged exclusively with your consent pursuant to Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. This consent provided to the manufacturer may be withdrawn at any time.

i. Advice from health experts and support

active365 offers you the option of contacting one of our health experts or support staff by email. Requesting advice from our health experts is voluntary. If you request one-to-one advice from a health expert, that health expert may view the health data which you have stored in active365. When you make use of our customer support service, our support staff may access data relating to your user account in order to help you. The data is processed in order to provide a service pursuant to the lawful basis of Art. 6 para. 1 (b) GDPR. Your health data is processed on the basis of the consent given to us when you registered. The lawful basis is provided by Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. We use the Freshdesk tool provided by Freshworks Inc. (USA) for communicating with our experts. This means that the transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

j. Transactional emails, notifi­cations and product updates

We regularly send you emails regarding the functions of and updates to our product. We also send transactional and notification emails. These do not constitute promotional communications, but simply provide information about your account or our product. In this context, personal data such as your name and email address is processed. The emails are sent based on our legitimate interest in providing information about existing and new service offers and in the technical maintenance of our offers. The lawful basis is provided by Art. 6 para. 1 (f) GDPR. You may object to receiving product updates by clicking on the 'unsubscribe' link in the email. These emails are sent using the Sendgrid service provided by Twilio Ireland Limited, a subsidiary of Twilio Inc. (USA). This means that the transmission of data to the USA is not excluded. Twilio has its own binding corporate rules on data protection that were approved by the supervisory authority and guarantee an adequate level of data protection.

We also analyse the reading habits and open rates for our product updates. In this context, we collect and process pseudonymised user data, but we do not link this data to your email address or IP address. Art. 6 para. 1 (f) GDPR constitutes the lawful basis for the analysis of our updates, and the processing serves our legitimate interest in optimising our updates. You may object to this processing at any time by contacting one of the aforementioned channels.

k. Personalisation (Google Analytics for Firebase)

In our app we use the Google Analytics for Firebase service provided by Google Ireland Limited (Ireland / EU). Google Analytics for Firebase is a function offered by the Google Firebase development platform. Google Analytics is an analysis service that allows us to collect and analyse data relating to the behaviour of the users of our app in order to compile reports on the activities within our app. In this context, personal data such as online identifiers, IP addresses, device identifiers and information about users' interaction with our app is processed. You can find more information about data gathering in Google Analytics. The data is transmitted to Google Ireland, and Google processes the data exclusively on our behalf.Some of this data is information that is stored on the end device used by you. In addition, Google Analytics sometimes also stores other information on the end device used by you. Google Analytics stores such information and accesses information already stored on your end device only with your consent. Art. 6 para. 1 (a) GDPR constitutes the lawful basis for the processing of data in relation to the Google Analytics service. The lawful basis for accessing your end device is provided by §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Manage opt-ins', 'App customization and marketing'.

Google Analytics stores certain advertiser identifier data for 60 days and creates aggregated reports in a non-automated process. Data at the user level, including conversions, is stored for up to 14 months. All other event data is stored for two months. The transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

l. Quality improvement (Google Crashlytics)

In our app we use the Firebase Crashlytics service provided by Google Ireland Limited (Ireland / EU). Firebase Crashlytics is a function offered by the Google Firebase development platform. Firebase Crashlytics is a crash reporting service that helps us to improve the stability and reliability of our app. Various data is compiled in crash reports and sent to us. To this end, the data is transmitted to Google Ireland, and Google processes the data exclusively on our behalf.

Some of this data is information that is stored on the end device used by you. Information already stored on your end device is accessed only with your consent. The lawful basis for accessing the end device is provided by §25 para. 1 TDDDG. Where personal data is processed, the lawful basis is provided by Art. 6 para. 1 (a) GDPR.

Crash reports are sent only with your explicit consent. If you use an iOS app, you can give your consent in the app settings or after a crash. If you use an Android app, you can provide general consent to the delivery of crash notifications to Google and the app developer when setting up your mobile end device.

You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Manage opt-ins', 'Improve app quality'.

This data is stored for a maximum of 90 days. The transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

m. Measurement of reach (Adjust)

In our app we use the Adjust service provided by Adjust GmbH (Germany / EU).

Adjust is an analysis and attribution service that allows us to collect and analyse data via the installation channels of our app, measure the success of marketing measures, allocate user behaviour to specific campaigns, and better understand interactions within the app. In this context, personal data such as online identifiers, IP addresses, device identifiers (user agents), mobile identifiers (e.g. Apple's IDFA, Google Advertising ID), the date of installation of the app, information about viewed or clicked advertisements, and information exchanged with our app is processed. You can find more information about the capture of data in Adjust. The data is transmitted to Adjust, and Adjust processes the data exclusively on our behalf.

Some of this data is information that is stored on the end device used by you. Adjust sometimes also stores other information on the end device used by you. Adjust stores such information and accesses information already stored on your end device only with your consent. Art. 6 para. 1 (a) GDPR constitutes the lawful basis for the processing of data in relation to the Adjust service. The lawful basis for accessing your end device is provided by §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Settings', 'Personalisation'.

Adjust stores certain advertiser identifier data for 60 days and creates aggregated reports in a non-automated process. Data at the user level, including conversions, is stored for up to 14 months. All other event data is stored for 2 months.

The transmission of data to countries outside of the European Union cannot be excluded. Adjust applies appropriate legal mechanisms – such as adequacy decisions by the EU Commission or standard contractual clauses (SCCs) – to ensure that an adequate level of data protection is guaranteed. See also 'Transmission of data to third countries'.

n. Adobe Tracking (AEP)

In our app we use the Adobe Tracking (AEP) service provided by Adobe Systems Software Ireland Limited (Ireland, EU) to analyse the use of our app. In this context, personal data such as online identifiers (including cookie identifiers), IP addresses, device identifiers and information about the interaction with our website is processed on our behalf by Adobe Systems Software Ireland Limited. You can see a complete list of the processed data. We only use Adobe Tracking (AEP) with activated IP anonymisation. This means that the user's IP address is abbreviated by Adobe Systems Software Ireland Limited within the European Union and in other signatory states to the Agreement on the European Economic Area.

Your data is processed on the basis of your consent pursuant to Art. 6 para. 1 (a) GDPR.

Adobe sometimes uses information that is stored on your end device, or itself sometimes stores information on the end device used by you. Adobe stores such information and accesses information already stored on your end device only with your consent. The lawful basis for accessing your end device is provided by your consent pursuant to §25 para. 1 TDDDG. You may withdraw your consent at any time with future effect. You can find this option in the app under Menu 'Account', 'Manage opt-ins', 'Personalisation'.

You can find more information about data protection at Adobe Systems Software Ireland Limited in Adobe's privacy policy.

6. Other data processing within the active365 app

a. 1-on-1 video coaching

You can book a video conference with a professional coach. For this, access to the camera and microphone is required. Data processing takes place only when you use this function and it is generally required to provide the service, on the lawful basis of Art. 6 para. 1 (b) GDPR. Your health data is processed on the basis of the consent given to us when you registered. The lawful basis is provided by Art. 6 para. 1 (a) GDPR in conjunction with Art. 9 para. 2 (a) GDPR. The infrastructure is hosted on the servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg / EU). AWS is the processor and may only process the data in accordance with our instructions. The transmission of your personal data to the USA cannot be excluded in relation to the service provided by AWS. In this regard, please refer to the section on 'Transmission of data to third countries'.

b. Payment of activePoints

To make a payment by bank transfer we need your IBAN number (account with a Swiss bank) as well as the first name and surname of the account holder. Creative Cloud AG makes the payment as a financial intermediary from a fiduciary payment account. We periodically provide Creative Cloud AG with the data required to make the payment. CSS Holding AG, who finances these payments, generally does not receive any information about which users have received rewards.

When payment is made in the form of a voucher, we use your data to issue and store the voucher for the online shop enjoy365. In the case of a donation, we forward the donation amount without any personal data to the selected charitable institution (whereby the donor is not entitled to a donation receipt). The lawful basis is provided by Art. 6 para. 1 (b) GDPR.

c. Photo evidence

To the extent possible, photo evidence is automatically evaluated by an image verification service provided by Google as processor, who stores the photos for a short time purely for verification purposes before erasing them. If necessary, authorised employees of eTherapists may perform a manual evaluation. Photo evidence and other evidence provided for the crediting or paying out of activePoints are stored for three years. This also applies if you delete your user account before the end of this period. The lawful basis is provided by Art. 6 para. 1 (b) GDPR.

d. Prevention of misuse and fraud

We process personal data in order to ensure compliance with the conditions of use and to identify and prevent misuse. This includes in particular the identification of multiple accounts held by the same person, the identification of manipulation of usage and tracking data, and the identification of interference with the app's security mechanisms. In the event of justified suspicion we reserve the right to block or delete the user account. The lawful basis is provided by Art. 6 para. 1 (f) GDPR; we have a legitimate interest in ensuring the integrity and freedom from misuse of our offer.

e. Activities and offers of third-party providers

Activities or offers of the CSS Group and third-party providers, such as welcome activities, challenges, competitions or paid third-party offers, may be integrated into the app. The terms of business and data privacy policy of the provider in question apply to such third-party offers; you must approve these in advance. The third-party provider processes the data under its own responsibility.

7. Marketing

We regularly inform you in the app about products and services offered by the CSS Group. We request your prior consent for direct marketing that requires consent, except in exceptional cases where the applicable laws allow direct marketing without consent using the data provided by you when signing the user agreement. You may object to direct marketing or revoke your consent to such marketing at any time (section 8).

8. Communication via email, phone, etc.

When contact is established with us (e.g. by email or phone), the data you provide to us, the details of the requesting party (e.g. first name, surname, address, phone number, email address) and the content of your message or notification are processed in order to react to and answer your query in accordance with Art. 6 para. 1 (b) GDPR. This is done to enable us to communicate with you and provide you with a satisfactory and conscientious answer and is based on our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR, if you have contacted us, for example by replying to your questions, processing your orders, or providing you with the required information. We use Google Workspace provided by Google Ireland Limited (Ireland / EU) for our internal communications. This means that the transmission of data to the USA is not excluded. Please refer to the section on 'Transmission of data to third countries'.

9. Anonymisation and forwarding of data to third parties

As the operator, we make the active365 app available to you on behalf of CSS Health Insurance Ltd.

Gemeinsam mit der CSS-Kranken-Versicherung AG möchten wir dich bei der Verbesserung deines Gesundheitszustandes unterstützen. Dir steht es frei, dich bei uns zu registrieren.

As the operator of the app, eTherapists GmbH sends your personal data to CSS Health insurance Ltd in the following cases. This is not done on a personalised basis, but under a pseudonymised hash value and your user ID.

  • To verify that you are a CSS client so that you can use the app;
  • To measure the success of advertising campaigns;
  • To provide information about the collection of activePoints (but without details and the total number of activePoints).

Different amounts of activePoints are awarded when an activity is completed. If, as a verified user, you request payment of the collected activePoints in the app, eTherapists GmbH informs CSS Holding AG of the payment made for the purpose of settlement and invoicing, and forwards the following data for the purpose of evaluation and further development of the app:

  • Pseudonymised user ID
  • Number of collected activePoints
  • Analysis of user behaviour in pseudonymised form

In addition, your data may be used to prepare a totally anonymous health report for CSS Health Insurance Ltd. For example, these health reports provide information on how many people insured with CSS Health Insurance use the app, which content is the most popular, and what health improvements may have been achieved through the app. The anonymity of the content is ensured by our only preparing reports when more than 15 people use the app. It is not possible to come to any conclusions about your personal state of health based on the use of the app and our services.

We also forward data to the following recipients in connection with the activePoints system and the management of the app:

  • CSS Holding AG (Switzerland): receives a monthly overview of the collected activePoints and evaluations for the purpose of settlement and further development of the app; no personal data is provided;
  • CSS Health Insurance Ltd (Switzerland): delivers pseudonymised hash values for cross-checking verification data; in the case of forwarded support requests it receives your user ID;
  • Creative Cloud AG (Switzerland) as financial intermediary: periodically receives IBAN, first name and surname as well as the payment amount for the execution of the bank transfer;
  • Health Service 365 AG (Switzerland) as the operator of www.enjoy365.ch when vouchers are redeemed;
  • PostFinance Ltd (Switzerland) as the bank managing the payment account run by Creative Cloud AG as well as other banks and payment providers;
  • Buyers and sellers involved in corporate transactions to the extent required for checking or executing a transaction;
  • External advisors and auditors (e.g. internal and external audits, financial controlling, court cases).

We, eTherapists GmbH, remain authorised to forward or disclose user data if this is necessary for compliance with applicable laws and regulations, for internal and external audits, financial controlling, court proceedings, on request of the competent courts and authorities, or for other reasons in order to protect and defend our rights and your property.

 

We may amend this privacy policy at any time. The version published in the app applies.

As at: [1.6.2.CSS, 24.01.2025; CSS branded]
Last Updated: July 2026