Privacy Policy

1. Introduction

We take the protection of your personal data seriously and comply with applicable data protection laws, in particular the General Data Protection Regulation (GDPR). With this privacy policy we fulfil our information obligations under Art. 12 et seq. GDPR.

Our service offering covers the website coobi.health, the web dashboard coobi clinic dashboard, and the coobi care app (together the “platform”).

2. Definitions

• “Controller” (Art. 4(7) GDPR): the entity that decides on the purposes and means of data processing.
• “Processor” (Art. 4(8) GDPR): the entity that processes personal data on behalf of the controller.
• “Personal data” (Art. 4(1) GDPR): all information that can be related to an identifiable natural person.
• “Processing” (Art. 4(2) GDPR): any handling of personal data (collection, storage, use, transmission, deletion, etc.).
• “Special categories of personal data” (Art. 9(1) GDPR): including health data, which require a higher level of protection.
• “Health data” (Art. 4(15) GDPR): data on physical or mental health that reveals information about the state of health.
• “Consent” (Art. 4(11) GDPR): voluntary, informed, unambiguous declaration of intent, e.g. by ticking a checkbox.
• “Pseudonymisation” (Art. 4(5) GDPR): processing in which data can no longer be attributed to a person without additional information.
• “Anonymisation” (DIN EN ISO 25237): irreversible alteration such that no personal reference can be re-established.

3. Controller details

Responsible for data processing within the meaning of Art. 4(7) GDPR is:

Stigma Health GmbH, Jarrestraße 42a, 22303 Hamburg, Germany, represented by its management.

For questions about the processing of your data or to exercise your rights, contact us by email at service@coobi.health.

Representative in Switzerland pursuant to Art. 14 nDSG: TAS SAT AG, Chamerstrasse 172, 6300 Zug, Switzerland. Swiss users may also contact this representative directly for data protection requests.

4. Data Protection Officer

You can reach our Data Protection Officer at:

Patrick Liptak, datenschutz@coobi.health, MYLE Rechtsanwaltsgesellschaft mbH, Potsdamer Str. 98, 10785 Berlin.

For technical questions about the platform, contact info@coobi.health.

5. Competent supervisory authorities

For users in Germany and the EU: The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg, https://datenschutz-hamburg.de/

For users in Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, https://www.edoeb.admin.ch/

6. Your rights

As a data subject within the meaning of the GDPR, you have the following rights:

• Right to information (Art. 15 GDPR): You can obtain information about whether and which data we process about you.
• Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR): Under certain conditions you can request the deletion of your data.
• Right to restriction of processing (Art. 18 GDPR): Under certain conditions you can request that further processing be restricted.
• Right to data portability (Art. 20 GDPR): You can obtain a copy of your data in a machine-readable format.
• Right to object (Art. 21 GDPR): You can object to the processing of your data on grounds relating to your particular situation.
• Right to withdraw consent (Art. 7(3) GDPR): Consent given can be withdrawn at any time; the lawfulness of processing carried out previously remains unaffected.
• Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority.

You can exercise your rights at any time using the contact details listed in §3 or §4. We reserve the right to verify your identity through an appropriate procedure.

7. Disclosure of data to third parties

We and our processors generally only disclose your data to third parties if:

• you have given your express consent (Art. 6(1)(a) and/or Art. 9(2)(a) GDPR),
• the disclosure is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
• we are legally obliged to do so (Art. 6(1)(c) GDPR), or
• the disclosure is necessary on the basis of our legitimate interest in asserting legal claims (Art. 6(1)(f) GDPR) and no overriding interests of yours conflict with it.

8. Data transfer to third countries

In certain circumstances we use service providers based outside the EU/EEA. For such transfers we rely either on an adequacy decision of the EU Commission (Art. 45 GDPR) or on standard contractual clauses (Art. 46(2)(c) GDPR).

Switzerland is covered by an adequacy decision of the EU Commission, so transfers there are permissible without special safeguards. The same applies to the United Kingdom, which also benefits from an adequacy decision.

We expressly inform you in this privacy policy whenever a service provider involves a third-country transfer.

9. Notes on data security

Your data is secured during transmission via SSL/TLS encryption. Stored data is processed exclusively in security-certified data centres within the EU. All processors are contractually obliged to take appropriate technical and organisational measures (TOMs) to protect your data. Your data is in no case passed on or sold to third parties without a legal basis.

10. Downloading the coobi care app, app store

When downloading the app, certain data is transmitted to the respective app store (store account username, email address, content of the request, operating system). The processing of this data is carried out exclusively by the respective operator and is outside our area of influence.

Recipients: Apple App Store (Apple Privacy Policy) and Google Play Store (Google Privacy Policy).

For the provision of the app we use Amazon Web Services (AWS) (Amazon Web Services EMEA Sàrl, 38, avenue John F. Kennedy, L-1855 Luxembourg) as a processor. The data is stored at most until the end of the user agreement.

11. Use of the coobi care app, access data

During use of the app your end device automatically transmits technical data to our servers that is technically necessary for the provision of the service. This includes in particular:

• device and app version
• operating system and version
• timestamp of the request
• technical status codes (e.g. error and status logs)
• pseudonymous session identifiers to maintain app function

We do not collect IP addresses in this context and do not log any data that allows direct identification of your person. Since the transmitted technical data may nevertheless have a personal reference under certain circumstances, we treat it precautionarily as personal data within the meaning of the GDPR.

Purpose: Ensuring technical functionality, stability and error analysis of the app.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation of the app).

Recipient: Amazon Web Services (AWS) as processor.

Retention period: Technical logs are deleted or anonymised after no more than 14 days.

12. Use of the coobi.health website, access data

When accessing the website, your browser automatically transmits log files (IP address, browser type/version, operating system, referrer URL, accessed page, date/time, time zone, HTTP status code, transferred data volume) to the hosting provider.

Purpose: Ensuring technical functionality of the platform. The data is not used to identify users or for marketing purposes.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

Recipient: Render (Render Services, Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA) as processor. Render is based in the USA; data transmission takes place on the basis of EU standard contractual clauses (Art. 46(2)(c) GDPR) and supplementary technical and organisational protection measures.

Retention period: Log files are deleted or anonymised after no more than 14 days.

13. Registration and user account, app

Use of the app requires registration.

Processed data: access code; security question; username; gender, age range, type of addiction; therapy goal, consumption history, pre-existing conditions (optional); biometric login information (optional).

[Only Without Partner Clinic] Users without a partner clinic register directly using a self-purchased access code. There is no therapist access and no data sharing with an institution.

Purpose: Creation of the user account and access to the service offering.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR (consent, as health data and possibly biometric data are processed).

Recipient: Amazon Web Services (AWS), Amazon Web Services EMEA Sàrl, 38, avenue John F. Kennedy, L-1855 Luxembourg, as processor.

Retention period: Until withdrawal of consent or deletion of the account. Withdrawal results in deletion of the user account.

You can withdraw your consent at any time directly in the app via the corresponding button in the settings.

14. Registration and user account, therapist access [Only With Partner Institution]

Therapists receive access to the coobi clinic dashboard via a clinic admin account (email address, password).

Purpose: Secure access to the dashboard and management of patient data.

Legal basis: Art. 6(1)(b) GDPR.

Recipient: Render (Render Services, Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA) and AWS as processors. Render is based in the USA; data transmission to the USA takes place on the basis of EU standard contractual clauses (Art. 46(2)(c) GDPR) and supplementary technical and organisational protection measures.

Retention period: Until deactivation of the account.

15. Onboarding in the app

After registration you go through a medical onboarding that adapts the app to your situation.

Processed data: gender, age range, type of addiction, therapy goal, consumption history, pre-existing conditions, emergency contact, biometric login information (each insofar as provided).

Purpose: Individual adaptation of app content to your situation.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

Recipient: AWS as processor.

Retention period: Until withdrawal of consent or deletion of the account. Withdrawal results in the service offering no longer being usable.

16. Anonymisation of data, further processing for research purposes

Usage data is further processed in anonymised form in order to gain insights for addiction research. Upon complete anonymisation, the personal reference ceases to exist and the data is no longer subject to the GDPR.

Legal basis: Art. 6(1)(a) GDPR (consent, requested separately from other consents).

Retention period of anonymised data: Unlimited (no longer any personal reference).

17. Newsletter subscription, HubSpot

If you subscribe to our newsletter, we process your email address, subscription and confirmation time, IP address as well as anonymised usage data (open and click rate).

Legal basis: Art. 6(1)(a) GDPR. Subscription takes place via the double-opt-in procedure.

Recipient: HubSpot (HubSpot Ireland Ltd., Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland) as processor.

Retention period: Until withdrawal of consent. Withdrawal at any time via the unsubscribe link in the newsletter or by email to info@coobi.health.

18. Use of the support chat, Intercom

You have the option to contact our customer service via chat through the app or website.

Processed data: user ID (automatically transmitted as logged-in user when opening the chat — you do not need to provide any credentials); device information (operating system, device type); product area used (app or dashboard); communication content; health data, insofar as part of the communication.

Purpose: Processing and answering your inquiries; automatic assignment of the support case to your user account.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

Recipient: AWS, Render and Intercom (Intercom R&D Unlimited Company, 124 St Stephen's Green, Dublin 2, Ireland) as processors. We point out that Intercom is part of a US group of companies; data transmission takes place on the basis of EU standard contractual clauses (Art. 46(2)(c) GDPR).

Retention period: Until completion of the communication and thereafter only to the extent that no statutory retention obligations conflict.

19. Use of the coobi chat, chat group for aftercare [Only With Partner Institution]

In addition to the support chat, a separate group chat is available to you for communication with other users in your aftercare or therapy group. Therapists or other employees of the institution do not participate in this chat.

Processed data: communication content, health data (insofar as part of the communication), username.

Purpose: Mutual support between users of a shared aftercare or therapy group, support of the recovery process.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

Recipient: AWS as processor. Content of the group chat is visible only to members of the respective chat group.

Retention period: Until the end of the therapy or aftercare phase or the communication, insofar as no statutory retention obligations exist.

20. Data sharing, coobi clinic dashboard [Only With Partner Institution]

We offer the coobi clinic dashboard for medical institutions.

Processed data: pseudonymised user data from the app, aggregated statistics on usage behaviour and therapy progress, pseudonymised information on dependency types and goals.

Purpose: Support for medical professionals in accompanying patients.

Legal basis: Art. 9(2)(a) GDPR (explicit consent, granted via the settings in the app).

Recipient: Exclusively authorised medical professionals in clinics as well as technical staff of Stigma Health GmbH for maintenance and support.

Retention period: Until termination of use or withdrawal of consent; subsequently deletion, unless statutory retention periods exist.

21. Processing technical inquiries, Linear

We use the ticketing system Linear to process technical issues.

Processed data: contact information, problem description, communication history.

Legal basis: Art. 6(1)(b) and (f) GDPR.

Recipient: Linear (Linear Orbit Inc., 2261 Market St STE 10632, San Francisco, CA 94114, USA) as processor. Data transmission on the basis of EU standard contractual clauses.

Retention period: Until expiry of the contract period, insofar as no statutory retention obligations conflict.

22. Data transmission via interfaces (wearables)

Vital data (heart rate, steps, sleep data) is transmitted via the following interfaces: Apple Health / HealthKit, Garmin Connect.

Legal basis: Art. 9(2)(a) GDPR (consent). The data is transmitted exclusively in encrypted form and cached temporarily.

23. Push notifications

We send push notifications to your end device to remind you to use the app, inform you about new content and — where relevant for your user group — transmit notes as part of your aftercare.

Processed data: device push token (a pseudonymous device identifier issued by the operating system); content of the notification; time and delivery status.

Purpose: Transmission of in-app notes, reminders and programme updates.

Legal basis: Art. 6(1)(a) GDPR (consent, granted via the notification permission of your end device and/or the app settings). You can withdraw your consent at any time via the system settings of your end device or in the app, with effect for the future.

Services used and recipients:

• Expo Notifications (Expo, Inc., 650 Castro Street, Suite 120-201, Mountain View, CA 94041, USA) as technical delivery service.
• Apple Push Notification Service (APNs) (Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland; group company Apple Inc., USA) for iOS devices.
• Firebase Cloud Messaging (FCM) (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; group company Google LLC, USA) for Android devices.

Expo, APNs and FCM may transmit personal data to the USA. The data transmission takes place on the basis of EU standard contractual clauses (Art. 46(2)(c) GDPR) and supplementary technical and organisational protection measures.

Retention period: Push tokens are stored until you deactivate notifications or delete your user account. Delivery logs are deleted after no more than 30 days.

24. Use of cookies

Cookies are used on the coobi.health website and in the coobi clinic dashboard.

Technically necessary cookies (dashboard): form data, language settings, history data — legal basis: Art. 6(1)(f) GDPR.

Analytics cookies (website): number of visitors, duration of visit, origin, IP address — legal basis: Art. 6(1)(a) GDPR; consent is obtained via a cookie banner.

Recipient: Render and AWS as processors; with active consent additionally Google Analytics (see §25).

You can deactivate cookies in your browser; this may impair the functionality of the platform.

25. Google Analytics

We use Google Analytics on the coobi.health website — a service for reach and usage analysis.

Processed data: pseudonymous user and device ID; shortened/anonymised IP address; browser type, operating system, screen resolution; time spent, pages accessed, referrer URL; click and scroll behaviour.

Purpose: Statistical evaluation of website usage to improve our offering.

Legal basis: Art. 6(1)(a) GDPR (consent). Consent is obtained via the cookie banner and is not a prerequisite for using the website. It can be withdrawn at any time via the cookie settings with effect for the future.

Recipient: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (group company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Transmission to the USA takes place on the basis of EU standard contractual clauses (Art. 46(2)(c) GDPR). We have enabled IP anonymisation so that IP addresses are shortened before any processing.

Retention period: Maximum 14 months; thereafter automatic deletion.

You can additionally object to the data collection by Google Analytics by installing the browser add-on: https://tools.google.com/dlpage/gaoptout.

26. Usage analytics services

We use LogRocket and AWS for analysing usage behaviour and troubleshooting.

Processed data: user ID (pseudonymised), device information, time of access, app version, session ID, usage statistics.

Legal basis: Art. 6(1)(a) GDPR (optional consent, not a prerequisite for using the platform).

Recipient: LogRocket (87 Summer St, Boston, MA 02110, USA) and AWS. Data transmission on the basis of EU standard contractual clauses.

Retention period: After account deletion or withdrawal, usage data is anonymised and can no longer be attributed.

27. Use of locally hosted Google Web Fonts

We use Google Web Fonts that are loaded exclusively locally from our own servers or those of our hosting provider in order to ensure a consistent display on different devices. No connection to Google servers takes place here; no data is transmitted to Google in this context.

As part of a normal page request, our hosting providers process the connection data technically necessary for delivering the fonts (e.g. browser type, operating system, timestamp).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in consistent and fast display).

Recipient: AWS and Render as hosting providers.

28. Contacting the controller

When contacting us by email or contact form we process your email address, date/time and content of the inquiry.

Purpose: Processing and answering your inquiry; for product-related complaints also as part of feedback management.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest) or Art. 6(1)(b) GDPR (for contract-related inquiries) or Art. 6(1)(a) GDPR (for consent via the contact form).

Recipient: Google Mail (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and Intercom as processors.

Retention period: Until final processing, insofar as no statutory retention obligations conflict.

You have the right to object to the processing based on Art. 6(1)(f) GDPR at any time pursuant to Art. 21 GDPR.

29. Use of the community function

coobi offers a community function in which users can support each other pseudonymously (under their username). The function is accessible to all user groups.

Processed data: username (pseudonym); posts and interactions (texts, reactions); reports (content reported by other users); times of posts.

Purpose: Enabling mutual exchange between users and ensuring a safe and rule-compliant community.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR (consent; as community posts may also contain health data).

Recipient: AWS as processor.

Retention period: Until deletion of the user account or early removal of content by you or our moderation team. Content that violates our community guidelines may be removed without prior notice.

Note: Posts you publish in the community are visible to all other community members under your username. Do not disclose any information in the community that allows conclusions about your identity.

30. Pseudonymised data sharing in the model project [Only DRV Aftercare]

As part of the model project, pseudonymised usage data is exchanged with the German Pension Insurance (DRV) and Martin Luther University Halle-Wittenberg. The University of Halle prepares a scientific evaluation on the basis of this data.

Processed data: pseudonymised usage and therapy data.

Purpose: Scientific evaluation of the effectiveness of coobi care as part of the model project.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR (consent, obtained separately via the declaration of consent for participation in the model project).

Recipient: German Pension Insurance (DRV) and Martin Luther University Halle-Wittenberg.

Retention period: The pseudonymised data is stored for the duration of the model project. Re-attribution to your person is excluded.

31. Order and payment processing [Only Without Partner Clinic]

If you purchase an access code directly via our website, you go through an ordering process handled via two processors: an order form and a payment service provider.

32. Updates to this privacy policy

We reserve the right to update this privacy policy with effect for the future. We will inform you of an intended change in good time. Your rights as a data subject are never restricted by an amendment to this privacy policy.