Information of Declareme GmbH about the processing of personal data according to Art. 13 DS-GVO

The following privacy policy informs you about the processing of your personal data both on the website https://www.healthmeapp.de/ and in the mobile app HealthMe (available for Android and iOS). Unless explicitly mentioned, the information applies to both the website and the app.

Responsible for data collection is:

Declareme GmbH (hereinafter: "we").
Represented by the managing director Ms. Victoria Noack.
Kurfürsten-Anlage 52
69115 Heidelberg
Germany

The purchase of a subscription for our app HealthMe via the App Store or Google play takes place via these stores. In addition, you can purchase services from a cooperation partner. The providers of the stores and the cooperation partners are also responsible for the processing of your personal data. Therefore, please inform yourself about the processing of your personal data at these locations.

§ 1 General information on the processing of personal data by us

We collect and process personal data if you provide it to us when registering for the HealthMe app, when contacting us or via an input form in our app or on our website. We also collect and process data that is collected when you use our website and our app. Your data is processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act and other applicable laws. Personal data is any information relating to an identified or identifiable natural person. In the following, we explain in detail how we collect which data and on what legal basis. In addition, we explain what rights you have and how long your data will be stored.

§ 2 Processing of your personal data when registering for our app and purchasing a subscription or bundle

  1. Our app HealthMe can only be used by registered users. The use of HealthMe is only possible with registration because this allows the data you enter, e.g. on your allergies, to be saved so that you do not have to enter it again each time you open the app. In addition, you can use the app on several mobile devices on which you are logged in to the App Store or Google play with the same ID without having to enter all the data again. The password protection also allows you to log out at any time and thus prevent access to your data by unauthorized third parties who access your mobile device. The processing of the data as explained in the following paragraphs is therefore based on Art. 6 para. 1 p. 1 b) DS-GVO, because it is necessary for the purpose of fulfilling the contract.
  2. After installing HealthMe on your mobile device, you must enter the following data: Your email address and a password of your choice. We verify the email address by first sending you a confirmation email with a link. Only after clicking on this link can you log in to HealthMe and use our app (so-called double opt-in procedure). To document your confirmation by clicking on the link, we also store the name of the file or resource retrieved (confirmation of the email address), the date and time of the retrieval, a message stating whether the retrieval was successful and your full IP address. We will also use your e-mail address in the future for further contractual communication.
  3. Alternatively, you can also register with your Facebook account. We will then know your first and last name as you have entered it on Facebook as well as your Facebook ID instead of your email address. Facebook itself may also process data from you if you register with us using your Facebook account. Please inform yourself about this directly at Facebook.
  4. If you purchase a bundle, we also need your address so that our cooperation partner can send the blood test to your home. We only process your payment data if you take out a subscription or purchase a bundle via our website. If you book the subscription via the app, the payment data will only be processed by the respective app provider. When purchasing the bundle, your payment data will be processed by the respective selected payment service provider. We process the aforementioned further data on the basis of Art. 6 (1) p. 1 b) DS-GVO because it is absolutely necessary for the purpose of fulfilling the contract. On this basis, we also transmit you to our cooperation partner as well as to the payment service providers.
  5. On the basis of Art. 6 para. 1 p. 1 f) DS-GVO and thus on the basis of our legitimate interests, the processing of data may also take place for the assertion or defense of any claims against our users or by our users. In addition, we process data on this legal basis in the event of errors in the app or on the website so that we can identify and rectify them.
  6. If you provide us with personal data by contacting us, e.g. via an input form, by e-mail or by other means, we process your data in accordance with Art. 6 (1) sentence 1 b) DS-GVO for the purpose of fulfilling the contract or for the implementation of pre-contractual measures that take place in response to your request or in accordance with Art. 6 (1) sentence 1 f) DS-GVO due to our legitimate interest in answering your request. We process your data in each case only for the purpose of processing your specific request.
  7. The personal data we collect will be stored for as long as we need it for the purposes for which it was collected, unless we have your consent for further storage or we are obliged to store it for a longer period of time in accordance with Art. 6 para. 1 p. 1 c) DS-GVO, e.g. due to tax and commercial law retention and documentation obligations (e.g. from HGB, StGB or AO).

§ 3 Your consent to the processing of your health data

With HealthMe, you can scan food to display contained allergens, ingredients and nutritional values. If you have previously indicated in your account which allergens are relevant to you or - as a premium user - which other ingredients are relevant to you and what your dietary preferences are, HealthMe can also give you an indication straight away as to whether the scanned food is questionable or harmless for you. You will also be shown alternative products to the scanned food. The same applies if you import the test result of our cooperation partner into your account. The indication of allergens and ingredients in your account or the import of the test result is completely voluntary. If you disclose health data, e.g. because you actually have an allergy to a selected allergen, or information about your attitude to life, or in any case when importing the test result, we process this health data by storing it in our database on the basis of your consent. Your consent also includes the storage of your data on the servers of one of our service providers (database provider, see also § 8), whereby we always store your information on allergens, ingredients and your test result separately from your data listed in § 2, but only linked to a user ID so that we can also display the data in your account. You can revoke this consent at any time by deleting the selection of allergens, ingredients as well as the test result in your account settings by removing the checkbox. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

§ 4 Saving your scan and search history

Part of our service is the storage of your scan and search history in your account, so that you can track which foods you have already looked at and also retrieve the information about them again without having to scan the food again. Therefore, the storage of your scan and search history is based on Art. 6 para. 1 p. 1 b) DS-GVO, because it is necessary for the purpose of fulfilling the contract.

§ 5 Consent to receive our newsletter

If you subscribe to our newsletter, we process your e-mail address solely for the purpose of sending the newsletter. In addition, we store the name of the retrieved file or resource (confirmation of the e-mail address), date and time of the retrieval, notification of whether the retrieval was successful and your full IP address in order to be able to prove your consent. For the double opt-in procedure, please also read § 2 paragraph 2 of this data protection information.

With the newsletter, we inform you about interesting facts about nutrition and news about our services or those of our cooperation partner. We use a newsletter administration tool from a third-party provider to send the newsletter. We have carefully selected this provider and agreed data protection regulations with them so that we retain control over your data. We evaluate the click and open rates of our newsletters, but this is done without any reference to individual users and therefore completely anonymously.

At the end of each newsletter mail you will find a link that allows you to unsubscribe from the newsletter at any time. You can also unsubscribe at any time by contacting us by e-mail or by post at the address given above. The revocation of your consent by unsubscribing from the newsletter does not affect the lawfulness of the data processing until the time of revocation.

§ 6 Processing of data by means of log files

Both our website and our app HealthMe use so-called log files on the basis of Art. 6 para. 1 p. 1 f) DS-GVO, in which access data is stored for each page or app call. The data record stored contains the following data for website accesses:

  • Name of the file accessed
  • Date and time of access
  • Message as to whether the retrieval was successful
  • The IP address
  • Browser type
  • Browser version and its language
  • Operating system and its interface
  • Referral URL
  • Access status/http status code
  • Type of terminal device

When the HealthMe app is accessed, the stored data record contains the following data in addition to those mentioned under § 2 para. 2:

  • Application type and application ID
  • Operating system and its interface 

The log data (logs) are only stored anonymously so that a personal reference can no longer be established. Temporary storage of the full IP address may take place in individual cases if we need to protect our website and app against attacks and misuse. This is also our legitimate interest for the storage. We do not use the log data for any other purposes.

§ 7 Cookies

Cookies are pieces of information that are transferred from our web server or from third-party web servers to the web browsers or mobile devices of the users and stored there for later retrieval. Cookies can be small files or other types of information storage.

We use both so-called session cookies, i.e. cookies that expire at the end of your visit, and so-called persistent cookies, which are stored on your end device until they expire or you delete them. The purpose and storage period of the cookies can be seen from our cookie banner, which is displayed when you call up our website or app and which you can call up again at any time by clicking on "Cookies" (on the website in the footer). If the storage of these cookies is technically necessary, the legal basis is Art. 6 para. 1 p. 1 f) DS-GVO, because we have a legitimate interest in making your visit to our website as comfortable as possible.

Technically necessary cookies from our shop provider are also stored when you are redirected to our shop. You can find an overview of the cookies stored there here: https://www.shopify.de/legal/cookies.

Here, too, the legal basis is Art. 6 para. 1 p. 1 f) DS-GVO, because we have a legitimate interest in making your visit to our webshop as comfortable as possible.

In addition, we store cookies for other purposes based on your consent. Please read § 8 of this data protection information.

You can prevent cookies from being stored on your computer by deactivating the corresponding option in the system settings of your browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of our online offer.

§ 8 Google Analytics (for Firebase)

If you have given your consent herein, we use Google Analytics (for Firebase) to evaluate the performance of the website or app and the behaviour of users on the website or app. Google Analytics is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.  When you call up our website or app, a window appears in which you can either click on "Save only" without setting any further ticks, whereby only the technically necessary cookies listed under § 7 will be set. However, you can also select all cookies and thereby give your consent to the data processing by the selected cookies.

As a rule, data is also transmitted to Google LLC, which is based in the USA, as part of the processing described below. Google Ireland Limited and Google LLC are hereinafter jointly referred to as "Google". There is an agreement with Google in accordance with the EU standard contractual clauses, which ensures the adequacy of data protection even in the case of processing in the USA and other third countries (Art. 46 DS-GVO). In addition, by activating your data, you also give your express consent to the transfer of data (Art. 49 para. 1 a) DS-GVO) to the USA:

Google Analytics creates pseudonymized usage profiles for us. Information is stored in the cookie that is related to the specific end device used. However, this does not mean that we gain direct knowledge of your identity. These cookies are deleted after 2 years.

The Google Analytics cookie generates information about your use of this website such as

  • Browser type/version,
  • operating system used,
  • Referrer URL (the previously visited page),
  • host name of the accessing computer (IP address),
  • time of the server request.

The IP addresses are regularly anonymized within the European Union or within the EEA and only then transferred to the USA so that an allocation is not possible (IP masking).

You can revoke your consent at any time by deactivating your consent under "Cookies" (on the website in the footer).

Google also processes your data in its own interest. Please read the information from Google at https://policies.google.com/privacy?hl=de.

§ 9 Encryption

Our website and our app HealthMe are protected with SSL encryption so that personal data is only transmitted in encrypted form. We secure our website and our app HealthMe and other systems by technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons.

§ 10 Categories of recipients of data; data transfers to a third country

Service providers and vicarious agents used by us in connection with the website, e.g. host providers, database providers and other IT service providers, may have access to your personal data. If these service providers and vicarious agents process data on our behalf, they act according to instructions and are contractually bound by us accordingly. This also applies to the transfer of data to a third country. Data transfer to a third country (e.g. USA) takes place through the use of certain service providers. However, this data transfer only takes place if the requirements of Art. 44 et seq. DS-GVO are met. In part, this happens through the conclusion of standard contractual clauses, which can be viewed here: https://eur-lex.europa.eu/legal-content/DE/TXT/?locale-de=&uri=CELEX%3A32021D0915

§ 11 Your rights as a data subject

You have the right to:

  1. if we process personal data on the basis of your consent, to revoke your consent at any time in accordance with Art. 7 (3) DS-GVO. This means that we may no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation;
  2. to request information about your personal data processed by us in accordance with Art. 15 DS-GVO. In particular, you may request information about the processing purposes, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  3. in accordance with Art. 16 DS-GVO, to demand the immediate correction of inaccurate or incomplete personal data stored by us;
  4. pursuant to Art. 17 DS-GVO, to request the deletion of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
  5. in accordance with Art. 18 DS-GVO, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer need the data, but you require it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 DS-GVO;
  6. pursuant to Art. 20 DS-GVO, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller; and
  7. if your personal data is processed on the basis of legitimate interests pursuant to Article 6 (1) sentence 1 f) DS-GVO, to object to the processing of your personal data pursuant to Article 21 DS-GVO, provided that there are grounds for doing so which arise from your particular situation;
  8. if your personal data are processed for direct marketing purposes, object at any time to the processing of your data for such marketing, including profiling, insofar as it is related to such direct marketing, in accordance with Article 21(2) of the GDPR;
  9. complain to a supervisory authority in accordance with Article 77 of the GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

If you wish to make use of the aforementioned rights, please contact us using the above contact details.

§ 12 Duration of storage and routine deletion

Unless expressly stated otherwise in this privacy policy, we process and store personal data only for the period of time necessary to achieve the purpose of the processing or if this has been provided for in laws or regulations to which we are subject. If the storage purpose ceases to apply or if a legally prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.