1. What personal data do we collect and for what purposes?

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

When you use our Product, we collect and process the following categories of personal data for the following purposes:  

• Contact details: We collect your name, email address, phone number, postal address and credit card details when you register for our Product, purchase a subscription or contact us for support or feedback. We use this data to create and manage your account, provide you with the Product, charge the subscription fees, communicate with you and respond to your inquiries.  

• Health and biometric data: We collect data about your health and biometric conditions, such as your heart rate, blood pressure, blood oxygen level, sleep quality, activity level, weight, height, age, gender, medical history, medications, allergies, symptoms, diagnoses, goals and preferences, automatically when you wear the Wearable or based on any of your input. We use this data to provide you with personalized health guidance and feedback, statistical analysis, information, alerts, and a function through which a third party can be notified in case of emergency.  

• Location and movement data: We collect your location and movement data when you use our Product, based on the GPS or other sensors of your Wearable. We use this data to provide you with location-based services, activity tracking, and fall recognition.  

• Voice and text data: We collect your voice and text data when you interact with our software, including the Medical Interactive Assistant (“MIA”) using natural language, either by speaking or typing. We use this data to provide you with personalized health guidance and feedback, statistical analysis, information, and alerts. 

• Device and usage data: We collect data about your device and usage of our Product, such as the device model from which you access our software, its operating system, IP address, unique identifiers, network information, settings, errors, crashes, performance, and usage frequency, duration, and usage patterns. We use this data to provide you with the Product, ensure its functionality, compatibility, security, and quality.  

2. What is the legal basis for processing your personal data?

We process your personal data on the following legal bases, depending on the specific purpose and context of the processing: 

• Performance of the contract (Art. 6 para. 1 (b) GDPR): We process your personal data, including your contact details, biometric data, location and movement data as well as voice and text data, on the basis of a contract, when you enter into an agreement with us for the provision of our software, such as the VitalMedix End User License Agreement. We process your personal data to perform our contractual obligations and provide you with the software and services that you have requested. 

• Consent (Art. 6 para. 1 (a) GDPR): We process your personal data on the basis of your consent when you voluntarily agree to the processing of data concerning your health and for a specific purpose, such as receiving marketing communications, participating in surveys or promotions, or sharing your data with third parties. You can withdraw your consent at any time by contacting us (please see no. 10 below) or using the opt-out mechanisms provided in our Product. The withdrawal of consent does not affect the lawfulness of the consent-based processing of your personal data before the withdrawal.  

• Legal obligation (Art. 6 para. 1 (c) GDPR): We process your personal data on the basis of a legal obligation, when we are required to comply with a law, court order, or a request by a public authority that applies to us. We process your personal data to fulfill our legal duties and protect our rights and interests.  

• Legitimate interest (Art. 6 para. 1 (f) GDPR): We process your personal data on the basis of a legitimate interest when we have a reasonable and proportionate reason to process your personal data for our benefit, and such processing does not override your interests, rights, and freedoms. This includes when we use your personal data to operate, improve, analyze, and support our Product and services, conduct research and development, enhance our security and fraud prevention measures, or when we enforce the VitalMedix End User License Agreement, and defend ourselves against claims or disputes, and promote our business. 

3. With whom do we share your personal data?

We share your personal data with the following categories of recipients, depending on the specific purpose and context of the sharing: 

• Service providers: We share your personal data with third-party service providers that we engage to perform certain functions or services on our behalf, such as hosting, storage, analytics, payment processing, communication, marketing, or customer support. We only share your personal data with service providers that have agreed to process your personal data in accordance with our instructions and this Declaration, and to implement appropriate technical and organizational measures to protect your personal data. 

• Partners: We share your personal data with third-party partners that we collaborate with to provide you with certain features, functionalities, or services within our Product, such as the large language model (“LLM”) that we integrate into our Product and for which we have contracted with OpenAI Ireland Ltd. We only share your personal data with partners that have agreed to process your personal data in accordance with our instructions and this Declaration, and to implement appropriate technical and organizational measures to protect your personal data. We also require our partners to comply with their own terms, conditions, and policies that apply to their use, licensing, limitation of liability, confidentiality, data protection, and intellectual property rights related to the LLM, as incorporated by reference into the VitalMedix End User License Agreement.  

• Emergency contacts: We share your personal data with your designated emergency contacts, such as your family members, friends, or caregivers, when you use our Product to request emergency assistance, or when our Product detects a potential emergency situation based on your biometric data or any detected fall. We only share your personal data with your emergency contacts with your consent or when necessary to protect your vital interests or those of another person.  

• Authorities: We share your personal data with competent authorities, such as law enforcement, courts, regulators, or government agencies, when we are required or permitted to do so by law, court order, or authority request, or when we believe that such sharing is necessary to protect our rights, interests, or safety, or those of our customers, partners, service providers, or the public. 

4. How is personal data protected when transferred to third countries?

Where your personal data is transferred to jurisdictions outside the EU that do not provide the same level of data protection, we do so on the basis of Standard Contractual Clauses adopted by the EU Commission or an adequacy decision issued by the European Commission under Article 45 GDPR.

5. How do we use cookies and similar technologies?

We use cookies and similar technologies, such as web beacons, pixels, tags, and scripts, to collect and store certain device and usage data when you use our Product or visit our website. Cookies are small text files that are placed on your device by a web server and that allow us to recognize your device, remember your preferences and enhance your user experience, measure, and analyze your use of our Product and website, and to improve our Product. We use both session cookies, which expire when you close your browser, and persistent cookies which remain on your device until you delete them or they expire.

You can manage your cookie preferences and settings by adjusting your browser settings or using the opt-out mechanisms provided by us. However, please note that if you disable or reject cookies, some features or functionalities of our software or website may not work properly or may be less convenient to use. 

6. How do we protect your personal data?

We take appropriate technical and organizational measures to protect your personal data from unauthorized or unlawful access, use, disclosure, alteration, or destruction, and to ensure its accuracy, integrity, and availability. These measures include, but are not limited to, encryption, pseudonymization, access control, data backups, firewall, antivirus, and security training. However, no method of transmission or storage of data is completely secure, and we cannot ensure absolute security of your personal data. If you have any questions about our security practices, please contact us (s. no. 10 below). 

7. How long do we retain your personal data?

We retain your personal data for as long as necessary to fulfill the purposes for which we collected it, or to comply with our contractual and other legal obligations, or legitimate interests. The retention period may vary depending on the type and category of personal data, the purpose and context of the processing, and the applicable legal or technical requirements. When we no longer need your personal data for the purposes for which we collected it, we will delete it or anonymize it, or, if this is not possible, we will securely store your personal data and isolate it from any further processing until deletion is possible.

8. What are your rights and choices regarding your personal data?

You have the following rights and choices regarding your personal data, subject to the applicable laws and limitations: 

• Access (Art. 15 GDPR): You have the right to request access to your personal data that we hold and process, and to receive a copy of it in a commonly used and machine-readable format.  

• Rectification (Art. 16 GDPR): You have the right to request the rectification of any inaccurate or incomplete personal data that we hold and process about you.   

• Erasure (Art. 17 GDPR): You have the right to request the erasure of your personal data if the relevant requirements under Art. 17 GDPR are met. 

• Restriction (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if the relevant requirements under Art. 18 GDPR are met.  

• Objection (Art. 21 GDPR): You have the right to object to the processing of your personal data when we process it on the basis of our legitimate interest. We will then no longer process your data unless we have a legitimate interest in processing your data that outweighs your interests, rights and freedoms. An objection to processing for direct marketing purposes will always result in this processing being discontinued. 

• Portability (Art. 20 GDPR): You have the right to request the portability of your personal data that we hold and process, when we process the personal data on the basis of your consent or a contract and when we process it by automated means. You have the right to receive your personal data in a commonly used and machine-readable format, or to have it transmitted to another controller, where technically feasible.  

• Complaint: If you are dissatisfied with the processing of your personal data, you can contact us at any time to file a complaint (s. no. 10 below). Of course, you can also lodge a complaint with a supervisory authority if you believe that we have violated your rights or the applicable laws regarding the processing of your personal data.  

To exercise any of these rights or choices, or to obtain more information about them, please contact us using the contact details provided below under no. 10. We will respond to your request within a reasonable time and in accordance with the applicable laws. We may ask you to provide proof of your identity and sufficient details about your request before we can process it. We may also charge a reasonable fee or refuse to act on your request if that request is manifestly unfounded or excessive. 

9. How do we update this Declaration?

We may update this Declaration from time to time to reflect changes in our data protection practices, our Product or services, or the applicable laws. We will notify you of any material changes by posting the updated Declaration on our website and by sending you an email, where appropriate. We encourage you to review this Declaration periodically to stay informed about how we process your personal data. The date of the last update is indicated at the top of this Declaration. Your continued use of our Product or services following an update of this Declaration constitutes your acceptance of the updated Declaration. 

10. How can you contact us?

If you have any questions, comments, complaints, or requests regarding this Declaration or our data protection practices, please contact us using the following contact details:

HoloMedix.AI SE 
Königstadt-Carree am Brennerplatz 
Mollstr. 32 
20249 Berlin 
Germany

 
Email: helpdesk

www.holomedix.ai