Data Protection for the Keleya App
In addition to our online offer, we provide you with a mobile app that you can download to your mobile device.
In the following we inform about the collection of personal data when using our mobile app.
Personal data is any data referring to your person, e.g. name, address, email addresses, user behavior.
Below we explain how we handle your data when you use the Keleya app.
1. Name and contact information of the controller
Keleya Digital-Health Solutions UG
Volksdorfer Strasse 25
c/o A. Leuchte
22081 Hamburg, Germany
Tel.: +49 (0)151-50622615
2. Name and contact information of the data protection officer:
You can reach our data protection officer under firstname.lastname@example.org or our postal address with the recipient-addition “the data protection officer”.
3. Collection and storage of personal data and the nature and purpose of their use when using the Keleya app
a) Downloading the Keleya app over the App-Store
Downloading the Keleya mobile app will transfer certain information to the App Store, in particular your account username, email address and account number, time of download, payment information and unique device code. We have no influence on this data collection and are not responsible for it. We only process the data as far as necessary for downloading the mobile app to your mobile device.
b) Installing the app on your device – Data collection in log files
The following information is recorded without your intervention in so-called log files and stored until automated deletion:
- Language and version of the operating system
- Used platform (iOS or Android)
The data mentioned is processed by us for the following purposes:
- Ensuring a smooth connection setup of the app,
- ensuring comfortable use of our app,
- evaluation of system security and stability, as well as
for further administrative purposes.
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the data collection purposes listed above. In no case do we use the collected data for the purpose of drawing conclusions about your person.
c) Registration of your Keleya user account
You can create a Keleya user account via our login system. For registration we need at least the following data:
- Nickname (pseudonym)
- Email address
Legal bases for processing are Art. 6 para. 1 p. 1 lit. c and f GDPR, the processing serves the fulfillment of the contract and the preservation of the legitimate interests of the person responsible or a third party.
d) Linking to a Facebook profile
You can link the Keleya app to your Facebook profile. In the registration process, simply select “Login with Facebook”. Then you will be redirected to Facebook. Here you will find an overview of which Facebook data we have access to. We save your email address used on Facebook. Should the occasion arise, we may use this to contact you. We also save that you have logged in via Facebook.
The legal basis for processing the data is your consent in accordance with Art. 6 para. 1 lit. a GDPR.
e) Registration with a Google account
You have the option to sign into the Keleya app through your Gmail/Googlemail account.
The legal basis for processing the data is your consent in accordance with Art. 6 para. 1 lit. a GDPR.
f) Use of motivational short messages via push notifications
When you start using our mobile app, you have the option to enable push notifications. Push notifications are text messages that appear on the display with your consent. Through these we will inform you about news, or send you texts that serve your motivation.
If you use the push services, your device will be assigned an Apple Device Token or a Google Registration ID. These are encrypted, anonymized device IDs. A conclusion on the individual user is excluded.
The purpose of their use by us is solely to provide the push services. If you do not give permission, we will not use this data.
To unsubscribe from the push services later, you can use the opt-out option in your settings. These can be found in the settings of the respective favorites.
The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR, the processing serves to protect the legitimate interests of the person in charge or a third party.
g) Subscription to our newsletter
If, according to Art. 6 para. 1 sentence 1 lit. a GDPR, you have expressly consented, we use your email address to regularly send you our free newsletter.
The following data is transmitted here:
- Nickname specified by the user
- Birth date specified by the user
- Email address specified by the user
In addition, the following data is collected upon registration:
- Date and time of registration
We use the MailChimp® tool from The Rocket Science Group, LLC to send the newsletter.
MailChimp uses the data according to the contract exclusively for sending the newsletter. Apart from this, we do not pass on data to third parties in connection with data processing for sending the newsletter.
An un-subscription is possible at any time, for example via a link at the end of each newsletter. Alternatively, you can also send your request for un-subscription to email@example.com by email.
h) Use of our contact form
For questions of any kind, we offer you the opportunity to contact us via a form in the app.
The data processing for the purpose of contacting us is in accordance with Art. 6 para. 1 p. 1 lit. a GDPR based on your voluntarily given consent.
The personal data collected by us for the use of the contact form will be automatically deleted after completion of the request made by you.
i) Purchase and renewal of subscriptions
If you purchase additional subscriptions from us via the Keleya app or renew them through the Keleya app, the related data will be stored with us for the purpose of fulfilling the contract.
This data is used on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR for the execution of contractual relationships with you.
The relevant data will be stored with us as long as necessary for processing and fulfillment of the contract.
i.2) Purchase of premium services via Keleya.de website
In this case, the payment services for the user are provided by Stripe Payments Europe, Ltd (hereinafter referred to as “Stripe”) and are subject to the Stripe Connected Account Agreement (Stripe Connected Account Agreement), which includes the Stripe Terms of Service (summarized under the Collective term “Stripe Services Agreement”). In addition to the Company’s present terms, the customer accepts Stripe’s “Stripe Services Agreement” terms regarding payment services.
j) Further active use of the Keleya app
If you actively use the Keleya app, we process further personal data, in particular
- Your activities in the app, e.g. frequency or duration of use
- Food and fitness preferences and symptoms you specify
- Optionally specified by you:
- food intolerances specified by you
- profile photo submitted by you
This data is required by us to offer you all the features of our mobile app.
The legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR – the processing serves to safeguard the legitimate interests of us as the responsible party.
4. Disclosure of data
We only disclose your personal data to third parties under certain conditions. Below we inform you about these prerequisites.
If, according to Art. 6 para. 1 sentence 1 lit. a GDPR, you have given an express consent to this, we pass your personal data to third parties.
Representation of legal rights
According to Art. 6 para. 1 sentence 1 lit. f GDPR, we may disclose your personal data to third parties if this is necessary for the assertion, exercise or defense of legal claims. There must also be no reason to believe that you have an overriding interest in protecting your data from being shared.
We will pass on your personal data if a legal obligation under Art. 6 para. 1 sentence 1 lit. c GDPR is present.
If the disclosure of your personal data is permitted by law and this is necessary for the execution of a contractual relationship with you, we may pass on your data to third parties.
5. Analysis tools by Google
The tracking measures listed below and used by us are based on Art. 6 para. 1 sentence 1 lit. f GDPR. With the tracking measures used, we want to ensure needs-based design and the ongoing optimization of our app. In addition, we use the tracking measures to statistically record the use of our app and evaluate it for the purpose of optimizing our offer for you. These interests are to be regarded as justified within the meaning of the aforementioned provision.
We use a set of Google services for our analysis and marketing purposes (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA – henceforth “Google”). Through these tools, data about your usage behavior are collected in various ways and statistically evaluated. We also use your information to show you personalized advertising using Google’s services. By using our app, you agree to this. The various services, your options to revoke your consent in a simple way, and other important information will be explained in the following.
For more information on how Google handles the data we submit, please visit: https://www.google.com/intl/en/policies/privacy/partners/
The information generated by Google Tools is usually transmitted to and stored by Google on servers in the United States. Google and its affiliates are certified under the EU-US Privacy Shield.
a) Google Analytics
You can prevent the collection and processing of the information generated by the Google cookies by setting an opt-out cookie or by deactivating Google Analytics in the menu of your device. Alternatively, a browser plug-in can be installed which you can find here: https://tools.google.com/dlpage/gaoptout/.
Firebase is a Google subsidiary based in San Francisco, CA. We use the Firebase SDK and Google Analytics for Firebase in our Keleya app. This tool makes it possible to use the same functions in an app as it does for websites with Google Analytics. It uses technologies that work similar to cookies, especially the respective advertising IDs.
We collect information about your usage behavior in the Keleya app. We use this data to make statistical evaluations, to test our offers, and to improve them.
We also use this information for personalized advertising. In addition, we use Firebase to deliver push messages or so-called in-app messages (messages that are only displayed inside the app). In this case, the mobile terminal is assigned a pseudonymized push reference, which serves as the destination for the push messages or in-app messages. The push messages can be deactivated in the settings of the mobile device at any time and can also be reactivated.
If you do not want this kind of data to be collected, you can prevent this via the device settings of your mobile device (opt-out). How you can prevent this data collection on an Android device for example, is explained here: https://www.google.com/policies/technologies/ads/.
On an iOS device, you can find the according options under Settings> Privacy> Advertising.
We also use Crashlytics to analyze the application stability of our Keleya app. Crashlytics is a subsidiary of Google. Crashlytics provides real-time reporting of errors and crashes, simplifying maintenance of the application. None of your personal data will be transmitted, only crash reports with information on codes and device information, such as: Device type and operating system version. Any conclusions about the users are not possible.
6. Rights of persons affected
As subject of the data processing, you have the following rights:
According to Art. 15 GDPR, you are entitled to request information about your personal data processed by us.
In particular, you can request information about
- the processing purposes,
- the category of personal data,
- the categories of recipients to whom your information has been disclosed,
- the planned storage period,
- the right to rectification, cancellation, limitation of processing or opposition,
- the existence of a right of appeal,
- the source of your data, if it was not collected from us, as well as
- the existence of automated decision-making including profiling and, where appropriate, meaningful information about their details;
According to Art. 16 GDPR, you have the right to demand:
- Immediate correction of incorrect personal data stored with us
- immediate completion of your personal data stored with us;
According to Art. 17 GDPR, you are entitled to demand the deletion of your personal data stored by us, unless the processing is needed
- to exercise the right to freedom of expression and information,
- to fulfill a legal obligation,
- for reasons of public interest or
- to assert, exercise or defend legal claims;
According to Art. 18 GDPR, you are entitled to demand the restriction of the processing of your personal data, insofar as
- the accuracy of the data is disputed by you,
- the processing is unlawful, but you reject its deletion and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims, or
- you filed an objection against the processing in accordance with Art. 21 GDPR;
According to Art. 20 GDPR, you have the right to receive your personal data provided to us in a structured, standard and machine-readable format or to request the transfer to another person responsible;
According to Art. 7 para. 3 GDPR, you have the right to revoke your once given consent at any time. Thereafter we may not continue the data processing based on this consent for the future.
According to Art. 77 GDPR you are entitled to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or work, or our company headquarters.
7.Transmission to third countries
Our service providers also process data in countries outside the European Economic Area (“EEA”). In order to ensure the protection of your personal rights also in the context of these data transfers, we use the standard contractual clauses of the EU Commission in structuring the contractual relationships with the recipients in third countries in accordance with Art. 46 para. 2 lit. c GDPR. For the U.S., the European Commission has decided by decision on 12.07.2016, that under the regulations of the EU-U.S. Privacy Shield an appropriate level of data protection exists (adequacy decision, Art. 45 GDPR). Further information – including the certification of the service providers we use – is available at https://www.privacyshield.gov. We use only U.S. service providers who are certified under the EU-U.S. Privacy Shield.
In principle, we do not use fully automated decision-making in accordance with Art. 22 GDPR to justify and implement the business relationship. If we use these procedures in individual cases, we will inform you about this and about your respective rights separately, as far as this is prescribed by law.
9.Right of objection
If your personal data, based on legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, is processed, you have the right to file an objection against the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct mail. In the latter case, you have a general right of objection that is implemented by us without specifying any particular situation on your part.
If you would like to exercise your right of revocation or objection, please send an email to firstname.lastname@example.org.
10. Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.