Data Privacy Policy of Vivira Health Lab GmbH for the Digital Health Application (DiGA) “Vivira” and for the website www.vivira.com

Therapeutic training at home
for back, knee and hip pain

As of 20 January 2021

Your data belongs to you and is controlled by you. By giving consent to the processing of your data, you enable us to offer you the best possible therapeutic Vivira-training.

The protection of your data and your privacy are very important to us. We’re aware of the sensitive character of your health information. Therefore, the legislator refers to certain health data as “special personal data”. Such data is in particular need for protection.

At Vivira, we collect as little of your data as possible and protect it by the according to the state of technology. This Privacy Policy explains in detail how we do this.

Which questions does our Privacy Policy answer?

You can read the sections by clicking on the respective heading.

Our objective is to support you in conducting your therapeutic training at home as a complement to other treatment forms, while supporting you in reducing your knee-, hip-, or back-pain.

This includes the clinical validation of our product by research organizations using anonymized data. 

The processing of your data serves these purposes exclusively.

Vivira Health Lab GmbH (“Vivira”) is located at Kurfürstendamm 54/55, 10707 Berlin, Germany. Vivira processes your personal data in connection with the Vivira-App (“App”) and the website www.vivira.com (“Website”). We’re “responsible” according to German Basic Regulation on Data Protection (Deutsche Datenschutz-Grundverordnung – “DSGVO”).

We process your data only to the extent necessary for the provision of the Vivira services requested by you, as long as you consent to the processing, or if we’re authorized to do so by data protection laws. For the processing of your data, we separately ask for your consent. You can consent e.g., by activating the consent-slider in the Vivira App. We will keep a record of your consents.

You may view and revoke your consents at any time in the Vivira App under Profile > Settings > Manage your data.

The processing of your data occurs according to the state of technology of data protection and the requirements of DSGVO. Your data is stored and transferred in an encrypted form. For example, the Vivira website uses SSL or TLS encryption for data transmission. You can recognize an encrypted connection by the fact that the browser address line changes from “http://” to “https://” and by the lock symbol in your browser line. If the SSL or TLS encryption is activated, the data that you transfer to us cannot be read by third parties. These and further measures to ensure data protection are detailed in this Data Privacy Policy.

Requests can be sent to service@diga.vivira.com. For further information regarding our company, see www.vivira.com. You may also address questions to our data protection officer: Mike Peter, mpP Group/yourprivacyfirst: hello@yourprivacyfirst.de

On the one hand, your data is collected when you enter it into our systems. Other data is automatically collected by our IT systems after your consent.

Personal data is especially protected by law. Such data refers to information that refers to an identified or identifiable person.

With the exception of your email address and your IP-address, we do not collect any data that allows direct identification of your person. Nevertheless, the other data we collect become personalizable through your email address and IP address. A strictly confidential handling of all your data is therefore of great importance to us and we treat all data according to the same rules that apply to processing your personal data.

In case you do not wish to share necessary data with us, we’re unable to provide you with the services described in our terms and conditions.

Health Data

In the Vivira App

Vivira consists of four main features, in each of which health data is collected. The collection of the data is required for serving the purpose of Vivira and for providing the services as described in our terms and conditions. The four main features are:

a) Onboarding and generation of user account
b) Wellbeing Journal and Movement Test
c) Personalized training program
d) Steps and other activities

Providing your data is optional. However, the Vivira App can only function if you provide the data completely and correctly.

Zu a)

By providing specific health data during Onboarding, you can exclude contraindications (are these present: yes/no) and enable the selection of the right Vivira program, while receiving general and specific information on Vivira in the context of the data you provide.

This requires data about possible contraindications, your demography (gender, age), your health condition (your problem areas, the severity and duration of your pain, medical diagnoses, movement limitations) and possible on-going treatment with physiotherapy and/or pain medication).

The generation of a Vivira user account is required e.g. for security reasons to be able to use the Vivira App. With your user account, you can use your Vivira program after signing out from the App and then signing back in, after deleting and then reinstalling the App (though not after blocking of your account), and you can use the App on multiple devices.

During generation of your user account, you will be asked for your email address and asked to define a personal password. This enables us to set up and protect your account. We need your email address also in case we have to inform you about security-relevant issues regarding the product. For purposes of data security, we require a complex password with at least 8 characters, including at least one small caps letter, one large caps letter, and at least one number.

Disclosure of your email address qualifies all data collected, processed and used by Vivira as “special personal data” pursuant to the DSGVO. It is protected accordingly as such.

Zu b)

The Wellbeing Journal and the Movement Test enable you to periodically register the status of your bodily condition. In the Wellbeing Journal, you provide Data concerning your condition and treatment (pain, limitations to quality of life, work, household, and leisure activities, physiotherapy, and pain medication). In the movement test, you go through certain movements and indicate whether the movements could be conducted and if they were painful.

Zu c)

The personalized therapeutic training program supports the reduction of your pain. Every day, you will receive several exercises that are explained by video, as well as information regarding the exercises. After each exercise, we will ask you questions regarding your ability and the pain you may have experienced during the exercise. Answering these questions enables us to adapt the exercises each day based on the answers you provided. We also give you the chance to exclude exercises in case of pain.

Zu d)

Providing steps and other activity enables you to keep an eye on your overall activity level over time.

Technical Data

The technical data we collect informs us about the hard- and software you use:

In the Vivira App

  • Platform (e.g., iOS or Android)
  • Version of the Vivira-App
  • Manufacturer and model of your device
  • Version of the operating system of your end device
Data regarding use

The data regarding use that we collect informs us how you use the App and Website:

In the Vivira App

  • Time and frequency of use of App
  • Area of App that is used
  • Duration of use
  • App-settings used (language settings, notifications)
  • Feedback-data (incl. email-service)

We process your health data, technical data and data on use while you are using the App while you maintain a user account with Vivira that is not blocked.

Vivira will store your data for as long as we have your consent to do so in the context of the delivery of the Vivira services. In the case of your objection or revocation your consents, and in accordance with statutory requirements, Vivira will block and archive your data for a period of 3 years.

We do not share your data with third parties, unless:

  • we are obliged to do so by law
  • you have given us your explicit and specific consent to do so

Your consent includes our sharing of data with specific third-party analytics providers that are required to deliver our service to you according to our AGB and are explicitly listed in Sections 8 and 9 of this Data Privacy Policy.

It also includes sharing of anonymized data with research organizations, exclusively for purposes of clinical validation of our product. To receive a list of our current research organization partners, please send an email to service@diga.vivira.com.

Only with your explicit and additional specific consent, we will transfer your data to certain doctors, therapists (“Providers”), Payors, or research institutions. In this case, Vivira acts as contract data processor pursuant to article 28 DSGVO and undertakes to comply with the legal regulations regarding data protection and data security.

Storage on your device
To increase safety and provide the best possible user experience, we limit the data stored in encrypted form on your device to the following elements: Email address, current training program name, information if you are on a premium account, exercise data, feedback you provided after the exercises, and steps and burnt calories (only relevant for early users).

Storage on cloud-based server
Beyond this, all of your data will be stored on servers of Amazon Web Services („AWS“), our IT service provider Dienstleisters Hetzner Online GmbH, Gunzenhausen („Hetzner“) within the EU. Hetzner processes the data on our behalf and on the legal basis of article 28 DSGVO. Hetzner undertakes to comply with all relevant legal regulations regarding data protection and data security. To review Hetzner data protection regulations, please see: https://www.hetzner.de/rechtliches/datenschutz/

In addition, exclusively for communication with medical practices via our website when doctors or their practice teams order Vivira information (i.e., not for communication with patients, not for health data, and not in the Vivira app), data is stored on the servers of ALL-INKL.COM – Neue Medien Münnich, which processes it on our behalf and on the legal basis of Art. 28 DSGVO. ALL-INKL.COM is obliged to comply with the legal provisions on data protection and data security. You can find the privacy policy of ALL-INKL.COM here: https://all-inkl.com/info/datenschutzinformationen/

Data transfer
The Vivira App and the server communicate through encoded connections via SSL (Secure Socket Layer) to prevent unauthorized third parties from reading your data.

Firewall
Our server is protected by a firewall in order to protect against unwanted access.

ISO 27001
Our provider Hetzner is certified according to ISO 27001, an internationally recognized norm for information security.

Risk when using Vivira at your workplace or in multiple network environments
Please be aware that it is prohibited to use the internet for private purposes during working hours in certain work environments. Some employers systematically monitor prohibited internet activity at the workplace. Also, multiple network surroundings may pose a risk of unwanted access.

In addition to Hetzner (see above), Vivira contracts third-party providers for analysis of user data. We do this to be able to provide the services as described in our terms and conditions and/or constantly improve and further develop the App.

A transfer of your data to these service providers takes place only in connection with legally permissible contract data processing.

We have concluded data processing agreements with the service providers and in this context we implement the strict requirements of the German data protection authorities.

We use the following service providers:

Heinlein Support GmbH/mailbox.org

For data processing, Vivira uses services of mailbox.org of the company Heinlein Support GmbH, Berlin. Mailbox.org enables the receiving, processing, and answering of customer service queries, as well as the analysis of queries and their handling.

Data processing takes place on the basis of article 6 Abs. 1 lit. f DSGVO (“legitimate interests”). We assume a legitimate interest as we can significantly improve Vivira for all our users on the basis of this data. You may revoke your consent to data processing or object to it at any time by proceeding as described in Sections 12 and 13 of this Privacy Policy. The lawfulness of any previously completed data processing remains unaffected by this.

You can find the mailbox.org privacy policy here: https://mailbox.org/de/datenschutzerklaerung

Matomo

We use the web analytics service Matomo exclusively for communication with medical practices via our website when a practice orders Vivira information (i.e., not for communication with patients, not for health data, and not in the Vivira app). Matomo enables the recognition of the visitor to measure the reach of our online offers through browser fingerprinting. In this process, certain settings of the website visitor’s end device, e.g. browser version and software versions, are registered. Visitors are thus individually identifiable.

We use Matomo with privacy-friendly settings, i.e. the information collected by Matomo about the use of the website is stored on our server in Germany at ALL-INKL.COM – Neue Medien Münnich. The information collected is not passed on to third parties and does not leave the Federal Republic of Germany. The IP address is anonymized before storage. No profiling takes place. The data used for recognition is automatically deleted after 12 hours.

The use of Matomo is based on Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in the anonymized measurement of the reach of our offers in order to be able to assess visitor interest in individual contributions and to optimize our web offer. We only use the analysis for advertising purposes if visitors have explicitly given us consent to do so.

If you do not agree to this storage and use of your data, you can deactivate it here. In this case, an opt-out cookie will be stored in your browser, which prevents Matomo from storing usage data. If you delete your cookies, this will have the effect that the Matomo opt-out cookie will also be deleted. The opt-out must be reactivated when you visit this website again.

You can find the privacy policy of Matomo here: https://matomo.org/privacy-policy/

You have the right to receive information free of charge about the origin, recipients and purpose of your stored personal data at any time. You also have the right to demand the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent for the future at any time. Furthermore, you have the right to demand the restriction of the processing of your personal data under certain circumstances. You also have the right to appeal to the responsible supervisory authority.

You can contact us at any time about this and other questions about data protection at service@diga.vivira.com

You have the right to information regarding the personal data stored with us. In case your personal data is stored at Vivira, we are happy to provide you with a copy of this data upon request to service@diga.vivira.com. This includes information about purpose of storage, category of data stored, recipients of the data, accessors, as well as, if possible, period of data storage and criteria for determination of this period.

If you wish to revoke your consents to data processing by Vivira and for your data stored by Vivira to be deleted, you may revoke your consents – without any consequences to the lawfulness of data processing that took place before the revocation –  to data processing in the Vivira App under Profile > Settings > Manage your data and thereby block your account.

Your data will then be archived according to the statutory retention requirement for a duration of 3 years from the date of archiving. Beyond archiving, the data will no longer be processed and can no longer be accessed. After the end of the period, the data will be deleted.

From the moment the account is blocked, your program and data will no longer be available and Vivira will no longer be able to perform its services as descried in our Terms and Conditions. We will no longer be able to create any reference to your account, and accordingly will no longer be able to reproduce if you are or were a Vivira Premium user. Any remaining period of use, potentially already paid for, will expire without the possibility for refund or credit. The blocking cannot be reversed.

Before (and only before) you block your account, we can transfer your data to you if you send us this wish by writing to service@diga.vivira.com. See also Section 12 of this Privacy Policy.

In case the deletion conflicts with other statutory, contractual, tax-based, or commercially-based storage requirements or other legislative reasons, the blocking of your account may instead be prolonged.

You have the right object to the processing of your personal data through Vivira for reasons that arise from your special situation. If you wish to do so, please write to: service@diga.vivira.com.

You may correct data that you incorrectly entered into the App on the same day that the original data entry was made. Questions or corrections needs that go beyond the described may be sent to service@diga.vivira.com.

A partial deletion of your data or a restriction of the data processing is possible, if there is a legal basis for it according to Art. 17 or Art. 18 DSGVO. In this case please contact us at: service@diga.vivira.com.

We have the possibility to transfer to you your personal data stored by Vivira in a structured, common and machine-readable format. Upon request, it is also possible to transfer this data directly to a third party insofar as this is technically feasible and insofar we have your explicit and specific consent to do so. In this case, send an email to service@diga.vivira.com.

In case of appeals, complaints, or questions sent to service@diga.vivira.com, we will do our best to resolve your issue to your fullest satisfaction.

You are also welcomed to contact our Data Protection Officer: Mike Peter, mpP Group/yourprivacyfirst: hello@yourprivacyfirst.de.

Beyond this, you may get in contact with the data protection supervisory authority that is responsible for your location: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

We reserve the right to amend this Data Privacy Policy under consideration of statutory data protection requirements. You can find the respective current version here or at another place on App and Website where it can be easily found.

Vivira Health Lab GmbH
Kurfürstendamm 54/55, 10707 Berlin
Contact: service@diga.vivira.com