Privacy policy - Mika App
The purpose of this privacy policy is to inform you about how we process personal data. The protection of your privacy is of paramount importance to us, for which reason we ensure compliance with statutory provisions on data protection as a matter of course.
This privacy policy contains information for all our visitors in the EU, UK, Switzerland and United States of America. In case legal grounds have been stated by referencing the General Data Protection Regulation (GDPR), all information also corresponds to the UK GDPR respectively. All information given pertains to visitors from all locations unless stated otherwise.
1. Name and contact details of the responsible party
Fosanis GmbH
Gerichtstraße 23
Hof 3, Aufgang 2,
13347 Berlin Germany
Email: support@mika.health
2 .Data protection officer
If you have any questions regarding our data protection measures, the processing of your data or about the protection of your rights as a data subject, you can reach us and our data protection officer as follows:
1.1.1 External data protection officer:
ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21, 20354 Hamburg, Germany
For all questions and concerns regarding your data, please contact support@mika.health
Should you wish to communicate directly with our data protection officer (for example, because you have a particularly sensitive concern), please contact them by letter post since communication by email can always pose certain security risks. Please state in your enquiry that your concern relates to the company Fosanis GmbH.
3. Security measures
All information collected by using Mika is only stored and transferred by using state of the art encryption. To ensure the highest level of security for your personal information, we have implemented an Information Security Management Systems (ISMS) based on ISO 27001. Our Information Security Officer in conjunction with our Data Privacy Officer ensure that all information processing is done to the highest standards.
Our ISMS includes processes and counter measures to efficiently and quickly deal with possible data breaches, vulnerabilities and other factors that could have an impact on data security. All of our employees undergo regular information security and data privacy trainings. The effectiveness of our ISMS is audited on an annual basis by an independent body.
Our service providers are carefully reviewed to ensure a compliant handling of personal information. For our app we only utilize hosting providers for our app that have been certified based on ISO 27001, ISO 27017 (cloud information security) and ISO 27018 (data protection for cloud services). This includes HIPAA compliance where required.
4. Use of your data when using our app
We collect and process your personal data to render our health services via the app’s content to you whenever you use our app. This may include data processing to ensure the technical safety of the app, to bill, invoice or otherwise receive compensation from your health insurance, health care provider or company. We may also store some data on your device to provide the app’s functionality.
4.1. Data categories and legal grounds
Our app may collect the following data categories to provide its functionality:
- Contact information (e.g. name, address, email address,telephone number)
- Health information (e.g. medical indication, symptoms, information on your current health progress, diary entries, stress factors, type of therapy)
- Online identifiers and technical information (e.g. IP address, device ID, user ID, crash reports)
- Messages you send us within the app
- Error logs, user interaction data, device and other application-specific data that can assist in error and performance analysis.
We’re processing your data based on your voluntary consent Art. 9(2)(a) GDPR for health data and Art. 6(1)(a) GDPR for all other data) and, where applicable, as part of performing our obligations to you based on a service contract (Art. 6(1)(b) GDPR).
4.2. Recipients of your personal information
The following companies provide services to us within the performance of our app and may therefore receive some of your personal information:
- Amazon Web Services (38 Avenue John F. Kennedy, L-1855, Luxembourg): hosting of our app.
- Thryve (mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin, Germany): middleware to allow connecting our app to external devices and smartphone services
- Typeform (Typeform SL, Calle de Pallars 108 (Attico) 08018 Barcelona, Spain): form and survey tool
- Sendinblue (7 rue de Madrid, 75008 Paris, France): email service provider
- Google: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland: email management
- Sentry.io (Sentry, Inc., 1501 Mariposa Street, San Francisco, CA 94107, USA): Monitoring and tracking of application errors and performance issues.
4.2.1 Transfer to third countries
Data is transferred to countries outside the European Economic Area. We only transfer personal data to third countries where the EU Commission has confirmed an adequate level of protection or if we can ensure the careful handling of the personal data through contractual agreements or other appropriate guarantees, such as certifications or proven compliance with international security standards.
- USA (SSCs/Data Privacy Framework)
- Legitimate interests
- The purpose of processing your data is to protect the following legitimate interests:
- Protecting our systems from misuse,
- Monitoring and tracking application errors and performance issues in our apps
4.3. Storage duration
We store your personal information until you revoke your consent by deleting your account. You can do this at any time within the app itself. Please be aware that this cannot be reversed.
If we’re rendering our services to you as part of a service contract then we store your data until the contract has been terminated, unless you delete your account beforehand.
5. Data collection to improve our app
When you register, you have the choice to consent to us using some of your personal data to improve our app and for the scientific evaluation of our services.. This includes enhancing the usability of our app as well as analysing the effectiveness of features and overall user experience. Based on your consent we may aggregate some of your data to create statistics about the use of Mika and share that with our Pharma partners to improve the user experience. The statistics will not allow to identify you. No personal information will be shared with third parties.
6. Data privacy rights
Please be aware that the following rights can only be invoked for as long as we process your personal information. In cases where we anonymize information (e.g. Section 5), we are not able to identify you any more and as such cannot fulfil any data privacy rights in that regard.
6.1. Right to access of information
You may request information pursuant to Art. 15 GDPR on how your personal data is processed and to receive a copy of your personal data. Among other things, you can demand information regarding the purposes of data processing, the personal data categories that are processed, the recipients of such data (in case as such data is transferred), storage periods or the criteria for determining such storage periods.
6.2. Right to rectification
In case of inaccurate or incomplete personal data, you have the right to have this data rectified or completed.
6.3. Right to erasure of personal data
You have the right to inquire about the erasure of your personal data, if
- the personal data is no longer necessary for the purposes it was collected for,
- you withdraw consent and no other legal grounds for processing said data exist,
- you object to the processing (see 5.6) and no overriding legitimate interests in processing the personal data exist,
- your personal data has been unlawfully processed,
- your personal data must be erased for compliance with EU or national law.
6.4. Right to restriction of processing
You may inquire about restricting the processing of your personal data under the following circumstances:
- You contest the accuracy of your personal data and data processing needs to be restricted during the verification period,
- The processing is unlawful, but you oppose the erasure of your personal data,
- Personal data is no longer needed by us, but you require us to keep this data for the establishment, exercise or defence of legal claims,
- You have objected to the processing (see 5.6). Your data’s processing would be restricted in the time we require to review your request and to verify that no legitimate grounds override your request.
6.5. Right to data portability
You have the right to receive a copy of your personal data that you provided to us in a structured, commonly used and machine-readable format.
6.6. Right to object
In cases where we’re processing your personal data based on a legitimate interest, you have the right to object to the processing on grounds relating to your particular situation.
You may also object against the processing of your personal data for direct marketing purposes.
6.7. Right to complaint
If you’re of the opinion that certain data processing is violating data privacy requirements, you may lodge a complaint with a relevant supervisory authority. The competent supervisory authority for Mika in the EU is:
Berliner Beauftragte für Datenschutz
Alt-Moabit 59-61
10555 Berlin
mailbox@datenschutz-berlin.de
7. CCPA rights
The CCPA provides for consumers from California with specific rights regarding their personal information. This section will inform you about your rights. Please see section 2 on how to get in contact with us.
7.1. Right to know
You may request information on what personal information we have collected, used, shared, or sold about you, and the purposes for such data processing for a period of the last 12 months preceding your request. In case you invoke your right to know, we will provide you with the following information free of charge:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which your personal information was collected from
- The purposes for which the personal information is used
- The categories of third parties with whom we shares the personal information
- The categories of information that we sell or disclose to third parties. Please be aware that we do not sell your personal information.
7.2. Right to delete
You may request from us to delete your personal information. In case we receive such a request, we will require our service providers (see section 4.) to do the same. Please be aware that invoking this right may affect our provided services. Depending on which information your require us to delete, we may not be able to provide you with the desired services that would require this information.
7.3. Right to opt-out
You may request that we don’t sell or share your personal information (“opt-out”) for cross-context behavioral advertising, which is the targeting of advertising to you based on your personal information and obtained from your online activity across numerous websites. We do not sell your personal information. For information we share with Google and Meta (see sections 4.4 and 4.5), you can withdraw your consent at any time time in our cookie banner.
7.4. Right to non-discrimination
We will not discriminate against you for exercising your CCPA rights. This includes but is not limited to the following aspects:
- We will not charge you a different rate or price for exerting your rights.
- We will not deny you access to any of our services.
- We will not provide you with a different level or quality of our services.
7.5. Right to correct
Should he have incorrect information about you, you may require us to correct the incorrect personal information.
7.6. Right to limit
You have the right to require us to limit the use of your sensitive personal information to the services you requested. Sensitive information may include your social security number, financial account information, your precise geolocation data or genetic data.
Date of this privacy policy: 03.05.2024