Data Privacy Policy of Vivira Health Lab GmbH for the Digital Health Application (DiGA) “Vivira” and for the website www.vivira.com

Therapeutic training at home
for back, knee and hip pain

As of 01 July 2020

Your data belongs to you and is controlled by you. By giving consent to the processing of your data, you enable us to offer you the best possible therapeutic Vivira-training.

The protection of your data and your privacy are very important to us. We’re aware of the sensitive character of your health information. Therefore, the legislator refers to certain health data as “special personal data”. Such data is in particular need for protection.

At Vivira, we collect as little of your personal data as possible and protect it by the highest technical standards. This Privacy Statement explains in detail how we do this.

Which questions does our Privacy Policy answer?

You can read the sections by clicking on the respective heading.

Our objective is to support you in optimally conducting therapeutic training at home, as a complement to other treatment forms, while helping you as best possible in reducing your knee-, hip-, or back-pain. 

This includes the clinical validation of our product by research organizations using anonymized data. 

The processing of your data serves these purposes exclusively.

Vivira Health Lab GmbH (“Vivira”) is located at Kurfürstendamm 54/55, 10707 Berlin, Germany. Vivira processes your personal data in connection with the Vivira-App (“App”) and the website www.vivira.com (“Website”). We’re “responsible” according to German Basic Regulation on Data Protection (Deutsche Datenschutz-Grundverordnung – “DSGVO”), which is in line with European Data Protection Law.

We process your data only to the extent necessary for the provision of the Vivira services requested by you, as long as you consent to the processing, or if we’re authorized to do so by data protection laws. For the processing of your data, we separately ask for your consent. You can consent e.g., by activating the consent-slider in the Vivira App. We will keep a record of your consents.

You may view and revoke your consents at any time in the Vivira App under Profile > Settings > Manage your data.

The processing of your data occurs according to the state of technology of data protection and the requirements of DSGVO. Your data is stored and transferred in an encrypted form. For example, the Vivira website uses SSL or TLS encryption for data transmission. You can recognize an encrypted connection by the fact that the browser address line changes from “http://” to “https://” and by the lock symbol in your browser line. If the SSL or TLS encryption is activated, the data that you transfer to us cannot be read by third parties. These and further measures to ensure data protection are detailed in this Data Privacy Policy.

Requests can be sent to service@vivira.com. For further information regarding our company, see www.vivira.com. You may also address questions to our data protection officer: Mike Peter, mpP Group/yourprivacyfirst: hello@yourprivacyfirst.de

On the one hand, your data is collected when you enter it into our systems. Other data is automatically collected by our IT systems after your consent.

Personal data is especially protected by law. Such data refers to information that refers to an identified or identifiable person.

With the exception of your email address and your IP-address, we do not collect any data that allows direct identification of your person. Nevertheless, the other data we collect become personalizable through your email address and IP address. A strictly confidential handling of all your data is therefore of great importance to us and we treat all data according to the same rules that apply to processing your personal data.

In case you do not wish to share necessary data with us, we’re unable to provide you with the services described in our terms and conditions.

Health Data

In the Vivira App

Vivira consists of four main features, in each of which health data is collected. The collection of the data is required for serving the purpose of Vivira and for providing the services as described in our terms and conditions. The four main features are:

a) Onboarding and generation of user account
b) Wellbeing Journal and Movement Test
c) Personalized training program
d) Steps and other activities

Providing your data is optional. However, the Vivira App can only function if you provide the data completely and correctly.

Zu a)

By providing specific health data during Onboarding, you can exclude contraindications (are these present: yes/no) and enable the selection of the right Vivira program, while receiving general and specific information on Vivira in the context of the data you provide.

This requires data about possible contraindications, your demography (gender, age), your health condition (you problem areas, the severity and duration of your pain, medical diagnoses, movement limitations) and possible on-going treatment with physiotherapy and/or pain medication).

The generation of a Vivira user account is required for security reasons to be able to use the Vivira App. With your user account, you can use your Vivira program after signing out from the App and then signing back in, after deleting and then reinstalling the App (though not after blocking of your account), and you can use the App on multiple devices.

During generation of your user account, you will be asked for your email address and asked to define a personal password. This enables us to set up and protect your account. We need your email address also in case we have to inform you about security-relevant issues regarding the product. For purposes of data security, we require a complex password with at least 8 characters, including at least one small caps letter, one large caps letter, and at least one number.

Disclosure of your email address qualifies all data collected, processed and used by Vivira as “special personal data” pursuant to the DSGVO. It is protected accordingly as such.

Zu b)

The Wellbeing Journal and the Movement Test enable you to periodically register the status of your bodily condition. In the Wellbeing Journal, you provide Data concerning your condition and treatment (pain, limitations to quality of life, work, household, and leisure activities, physiotherapy, and pain medication). In the movement test, you go through certain movements and indicate whether the movements could be conducted and if they were painful.

Zu c)

The personalized therapeutic training program supports the reduction of your pain. Every day, you will receive several exercises that are explained by video, as well as information regarding the exercises. After each exercise, we will ask you questions regarding your ability and the pain you may have experienced during the exercise. Answering these questions enables us to adapt the exercises each day based on the answers you provided.

Zu d)

Providing steps and other activity enables you to keep an eye on your overall activity level over time.

On the Vivira Website

When using the Vivira Contact Form

  • Name
  • Email address
  • Your message to Vivira
Technical Data

The technical data we collect informs us about the hard- and software you use:

In the Vivira App

  • Platform (e.g., iOS or Android)
  • Version of the Vivira-App
  • Manufacturer and model of your device
  • Version of the operating system of your end device
  • The so-called „Identifier for Advertising in Apple“ for iOS devices
  • The so-called „Advertising ID“ for Android devices
Data regarding use

The data regarding use that we collect informs us how and how often you use our App and Website:

In the Vivira App

  • Time and frequency of use of App
  • Area of App that is used
  • Duration of use
  • App-settings used (language settings, notifications)
  • Feedback-data (incl. email-service)
  • Location of use, if applicable

We process your health data, technical data and data on use while you are using App and Website and beyond that for as long as we have your consent and the purpose of use requires it.

Vivira will store your data for as long as we have your consent to do so in the context of the delivery of the Vivira services. In the case of your objection or revocation your consents, and in accordance with statutory requirements, Vivira will block and archive your data for a period of 3 years.

We do not share your data with third parties, unless:

  • we are obliged to do so by law
  • you have given us your explicit and specific consent to do so

Your consent includes our sharing of data with specific third-party analytics providers that are required to deliver our service to you according to our AGB and are explicitly listed in Sections 8 and 9 of this Data Privacy Policy.

It also includes sharing of anonymized data with research organizations, exclusively for purposes of clinical validation of our product. To receive a list of our current research organization partners, please send an email to service@vivira.com.

Only with your explicit and additional specific consent, we will transfer your data to certain doctors, therapists (“Providers”), Payors, or research institutions. In this case, Vivira acts as contract data processor pursuant to article 28 DSGVO and undertakes to comply with the legal regulations regarding data protection and data security.

In the context of use of third-party services described in Sections 8 and 9, your personal data may be transferred to these providers (also to the U.S.). In such cases, we will take appropriate actions to reasonably protect your data at all times. Transfer of data to the U.S. is only made to companies that hold a EU-US Privacy Shield certification. Therefore, the data transfer is lawful on the basis of the adequacy decision of the EU-Commission (Art. 45 DSGVO) dated 12 July 2016. For further information go to www.privacyshield.gov.

Storage on your device
To increase safety and provide the best possible user experience, we limit the data stored in encrypted form on your device to the following elements: Email address, current training program name, information if you are on a premium account, exercise data, feedback you provided after the exercises, and steps and burnt calories (only relevant for users until June 2020).

Storage on cloud-based server
Beyond this, all of your data will be stored on servers of Amazon Web Services („AWS“), our IT service provider in Frankfurt am Main (Germany). AWS processes the data on our behalf and on the legal basis of article 28 DSGVO. AWS undertakes to comply with all relevant legal regulations regarding data protection and data security. To review Amazon Web Services data protection regulations, please see: https://aws.amazon.com/compliance/data-privacy/

Data transfer
The Vivira App and the server communicate through encoded connections via SSL (Secure Socket Layer) to prevent unauthorized third parties from reading your data.

Firewall
Our server is protected by a firewall in order to protect against unwanted access.

ISO 27018
Our provider AWS is guided by ISO 27018, a code of conduct that focuses on the protection of personal data on cloud-based servers.

Risk when using Vivira at your workplace or in multiple network environments
Please be aware that it is prohibited to use the internet for private purposes during working hours in certain work environments. Some employers systematically monitor prohibited internet activity at the workplace. Also, multiple network surroundings may pose a risk of unwanted access.

In addition to AWS (see above), Vivira contracts third-party providers for analysis of user data. We do this to be able to provide the services as described in our terms and conditions and/or constantly improve and further develop the App and the Website.

A transfer of your data to these service providers takes place only in connection with legally permissible contract data processing.

When data is processed outside the European Union and the European Economic Area, an appropriate data protection level will also be assured by adequate guarantees for the protection of the right of personality and the exercise of related rights. This is assured by legal, technical and organizational measurements and periodical controls that third-party providers fulfil all provisions of the relevant data protection regulations.

We have concluded data processing agreements with the service providers and in this context we implement the strict requirements of the German data protection authorities.

We use the following service providers:

Adjust

For data processing, Vivira uses services of Adjust GmbH, a provider from Germany for Mobile App Tracking and Analytics. Adjust provides App-marketers and -publishers with a solution to stay informed about the performance of their campaigns. The Adjust BI-platform shows understandable and practicable metrics, also on the In-App-behavior of users, e.g., to recognize promising marketing campaigns.

Data processing takes place on the basis of article 6 Abs. 1 lit. f DSGVO (“legitimate interests”). We assume a legitimate interest as we are able to significantly improve App and Website for all users on the basis of the findings from the data we receive from Adjust. You may revoke your consent to data processing or object to it at any time by proceeding as described in Sections 12 and 13 of this Privacy Policy. The lawfulness of any previously completed data processing remains unaffected by this.

For Adjust’s privacy statement, please see: https://www.adjust.com/privacy-policy/

Mixpanel

For data processing, Vivira uses services of Mixpanel Inc., a provider from the U.S. that protocols page views and page activity during App use. On this occasion, user data is transferred to Mixpanel (and Mixpanel, Inc.) in the U.S.

Data processing takes place on the basis of article 6 Abs. 1 lit. f DSGVO (“legitimate interests”). We assume a legitimate interest as we can significantly improve Vivira for all our users on the basis of findings from data created by Mixpanel. You may revoke your consent to data processing or object to it at any time by proceeding as described in Sections 12 and 13 of this Privacy Policy. The lawfulness of any previously completed data processing remains unaffected by this.

Mixpanel holds a Privacy-Shield certification. This means that Mixpanel voluntarily fulfils all data protection requirements of the EU. For more information, please see: https://www.privacyshield.gov/participant?id=a2zt0000000TOacAAG

For further information on the use of your data, please see Mixpanel’s privacy statement: http://mixpanel.com/privacy

Segment

For data processing, Vivira uses services of Segment.io, Inc., a provider from the U.S. Segment enables the analysis of user data on mobile devices and in the internet and enables its transfer to third-party provider tools used by Vivira, e.g. for data analysis, marketing or data warehousing.

Data processing takes place on the basis of article 6 Abs. 1 lit. f DSGVO (“legitimate interests”). We assume a legitimate interest as we can significantly improve Vivira for all our users on the basis of findings from data created by Segment. You may revoke your consent to data processing or object to it at any time by proceeding as described in Sections 12 and 13 of this Privacy Policy. The lawfulness of any previously completed data processing remains unaffected by this.

Segment holds a Privacy-Shield certification. This means that Segment voluntarily fulfils all data protection requirements of the EU. For more information, please see: https://www.privacyshield.gov/participant?id=a2zt00000008WCkAAM&status=Active

You can find Segment’s privacy statement here: https://segment.com/docs/legal/privacy/

Jira Service Desk

For data processing, Vivira uses services of Jira Service Desk by Atlassian, a company in Australia. Jira Service desk enables the receiving, processing, and answering of customer service queries, as well as the analysis of queries and their handling.

Data processing takes place on the basis of article 6 Abs. 1 lit. f DSGVO (“legitimate interests”). We assume a legitimate interest as we can significantly improve Vivira for all our users on the basis of findings from data created by Jira Service Desk. You may revoke your consent to data processing or object to it at any time by proceeding as described in Sections 12 and 13 of this Privacy Policy. The lawfulness of any previously completed data processing remains unaffected by this.

Atlassian holds a Privacy-Shield certification. This means that Atlassian voluntarily fulfils all data protection requirements of the EU. For more information, please see: https://www.privacyshield.gov/participant?id=a2zt00000008RdQAAU&status=Active

You can find Atlassian’s privacy statement here: https://www.atlassian.com/legal/privacy-policy

You have the right to receive information free of charge about the origin, recipients and purpose of your stored personal data at any time. You also have the right to demand the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent for the future at any time. Furthermore, you have the right to demand the restriction of the processing of your personal data under certain circumstances. You also have the right to appeal to the responsible supervisory authority.

You can contact us at any time about this and other questions about data protection at service@vivira.com.

You have the right to information regarding the personal data stored with us. In case your personal data is stored at Vivira, we are happy to provide you with a copy of this data upon request to service@vivira.com. This includes information about purpose of storage, category of data stored, recipients of the data, accessors, as well as, if possible, period of data storage and criteria for determination of this period.

If you wish to revoke your consents to data processing by Vivira and for your data stored by Vivira to be deleted, you may revoke your consents – without any consequences to the lawfulness of data processing that took place before the revocation –  to data processing in the Vivira App under Profile > Settings > Manage your data and thereby block your account.

Your data will then be archived according to the statutory retention requirement for a duration of 3 years from the date of archiving. From then on, the data will be archived exclusively, the data will no longer be processed and can no longer be accessed. After the end of the 3 years, the data will be deleted.

From the moment the account is blocked, your program and data will no longer be available and Vivira will no longer be able to perform its services as descried in our Terms and Conditions. We will no longer be able to create any reference to your account, and accordingly will no longer be able to reproduce if you are or were a Vivira Premium user. Any remaining period of use, potentially already paid for, will expire without the possibility for refund or credit. The blocking cannot be reversed.

Before (and only before) you block your account, we can transfer your data to you if you send us this wish by writing to service@vivira.com. See also Section 12 of this Data Privacy Policy.

In case the deletion conflicts with other statutory, contractual, tax-based, or commercially-based storage requirements or other legislative reasons, the blocking of your account may instead be prolonged.

You have the right object to the processing of your personal data by Vivira for reasons that arise from your special situation. If you wish to do so, please write to: service@vivira.com.

You may correct data that you incorrectly entered into the App yourself directly in the App on the same day that the original data entry was made. Questions or correction needs that go beyond the described may be sent to service@vivira.com.

A partial deletion of your data or a restriction of the data processing is possible, if there is a legal basis for it according to Art. 17 or Art. 18 DSGVO. In this case please contact us at: service@vivira.com.

We have the possibility to transfer to you your personal data stored by Vivira in a structured, common and machine-readable format. Upon request, it is also possible to transfer this data directly to a third party insofar as you have given uns your explicit and specific request to do so and we were able to confirm your identity. In this case, send an email to: service@vivira.com.

In case of appeals, complaints, or questions sent to servce@vivira.com, we will do our best to resolve your issue to your fullest satisfaction.

You are also welcomed to contact our Data Protection Officer: Mike Peter, mpP Group/yourprivacyfirst: hello@yourprivacyfirst.de.

Beyond this, you may get in contact with the data protection supervisory authority that is responsible for your location: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

We reserve the right to amend this Data Privacy Policy under consideration of statutory data protection requirements. You can find the respective current version here or at another place on App and Website where it can be easily found.

Vivira Health Lab GmbH
Kurfürstendamm 54/55, 10707 Berlin
Contact: service@vivira.com