We, cardioscan GmbH, Theodorstraße 41r, 22761 Hamburg, Germany (in the following „cardioscan“, „we“ or „ us“ etc.) take the protection of your personal data very seriously. We treat your personal data confidentially and exclusively in accordance with the statutory data protection regulations, in particular the German Data Protection Ordinance (GDPR), the Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG).
When you use our vicoach app ( in the following "app"), we process various personal data from you. As personal data in this context is information that relates to an identified or relates to an identified or identifiable natural person. refer. Personal data are, for example, your name, your date of birth, your e-mail address, your postal address or your IP address. No personal data, on the other hand, is information of a general nature that does not which your identity cannot be determined, such as the number of users of our app. number of users of our app.
The data processor within the meaning of Art. 4 No. 7 GDPR is:
cardioscan GmbH
Theodorstraße 41r
22761 Hamburg, Deutschland
phone: +49 (0) 40 303 723 30
e-mail: info@cardioscan.de
You can reach our data protection officer under the following contact details:
Data protection officer of cardioscan GmbH
Theodorstraße 41r
22761 Hamburg, Deutschland
phone: +49 (0) 40 303 723 30
e-mail:
datenschutz@cardioscan.de
When you use our app, we process personal data about you. you. In the following, we would like to provide you with more detailed information about when we process your personal data. when we process personal data about you, what personal data we process, the purposes for which we process your personal data and purposes we process your personal data and on what legal basis we do this:
a. Subject matter and scope of data processing
In order to use the app, you must first download it from the Apple App Store or the Google Play Store. Store or the Google Play Store. To do this, you need an account with the respective app store, which you can set up there if required. can set up there. When downloading, your e-mail address, your user name and the customer number of the downloading app store may be required, the customer number of the downloading app store account, the individual device code number device identification number, payment information and the time of the download are transferred to to Apple (Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA, in the following „Apple“) resp. Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, in the following „ Google“)
b. Purpose and legal basis of the data processor
Please note that we have no influence on the collection and other processing of personal data. in connection with your registration and use of the Apple App Store or Google Play Store. have. Only the terms of use and the privacy policy of the Apple App Store or Google Play Store apply here. TThe person responsible under data protection law for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is in this respect exclusively Apple or Google. For further information, please contact the the respective app store provider.
a. Subject matter and scope of data processing
Within the scope of the installation and use of our app we process the following technical data about your mobile device (in the following „ device data“):
When you use the app, it accesses our server to retrieve or store data. In the process, our server collects so-called access data based on the functioning of the Internet Protocol, which your device automatically transmits to us. This protocol data record contains in particular the following information:
b. Purpose and legal basis of data processing
The processing of the above-mentioned device and access data is technically necessary to enable communication with our server and to provide you with the functions of our app. We also process the access data to ensure - as far as technically possible and reasonable - the integrity, stability and functionality of our app, to analyze and eliminate any errors and to ward off any attempted attacks on our server. When processing the device and access data, we do not draw any conclusions about your person. In particular, no personal evaluation for marketing purposes or profiling takes place. The processing of device and access data is necessary to protect our legitimate interests in providing the app and ensuring its technical integrity (legal basis: Art. 6 para. 1 lit. f GDPR).
a. Subject and scope of data processing
(i) N User account
After you have downloaded the App from the Apple App Store or Google Play Store, in order to use the App, you must first register and set up a user account in the App (in the following " User Account"). To register, you must provide the following data (in the following " Registration Data"):
After you have assigned a password for your user account, we will send you an e-mail with a confirmation link to the e-mail address you provided. Click this confirmation link to confirm your User Account and complete registration.
(ii) Automatic data import via Connect from vicoach Business
In case you have registered in advance at a participating gym, doctor's office or hotel (in the following "Facility") via the vicoach Business portal provided there, e.g. in order to use the provided mescan / cardioscan / bodyscan / metabolicscan devices of cardioscan there ( see section 3.5 a. (ii) below), the App automatically connects to the vicoach Business Portal via a Connect (see section 4.1 below) in order to import the measurement data generated on the devices into the App via our cardioscan interface.
In order to establish a Connect, you must use the same e-mail address when registering in the app that you provided when registering in the vicoach Business Portal at your institution. As part of the registration process, your registration and measurement data stored or generated in the vicoach Business Portal at your facility will then be automatically imported into the App and will be available for you to view via the App there in addition to the vicoach Business Portal (cf. section 4.1 below) in order to provide you with optimal support at your facility.
b. Purpose and legal basis of data processing
Your registration data is processed exclusively in order to create a user account for you via which you can use the App and to which we can assign your usage data (cf. section 3.5 below) and, if applicable, your paid vicoach Premium subscription. The processing of this data is necessary for the fulfillment of a contract, namely the existing usage contract with you for the provision of the app (legal basis: Art. 6 para. 1 lit. b GDPR).
Please note that the measurement data imported into the app via Connect is, among other things, so-called health data within the meaning of Art. 4 No. 15 GDPR. Such data is processed exclusively on the basis of your prior, express consent (Art. 9 (2) a GDPR). Please note that you will not be able to fully use all functionalities of the app if you do not grant your consent or revoke it later. You have the right to refuse to give your consent or to revoke your given consent at any time with future effect vis-à-vis cardioscan (see section 8 below).
You can choose within the App whether you want to use the App as a free basic version with limited functionalities or as a paid full version. To use the app to its full extent, you must take out a paid subscription. The payment processing of the paid subscription takes place via the Apple App Store or Google Play Store. Only the terms of use and the privacy policy of the Apple App Store or Google Play Store apply. Apple or Google collect and process the data required for your payment (e.g. bank details or credit card data) without us having access to it. The data controller for the processing of your personal data within the meaning of Article 4 No. 7 GDPR is in this respect solely Apple or Google. For further information, please contact the respective app store provider directly.
a. Subject matter and scope of data processing
In the course of using our app, we process various data (in the following "usage data") in order to be able to provide you with the app and its functions and to enable you to have a personalized user experience. This relates on the one hand to data (i) which you generate in our App in the context of so-called "In-App Tests" (cf. Section 3.5.a.(i) below), and on the other hand to data (ii) which you import into the App via our cardioscan interface, such as "external scans" via Connect (cf. Section 3.5.a.(ii) below) or from Apple Health or Google Fit (cf. Section 3.5.a.(iii) below):
(i) In-App Tests: mobilityscan / lifestylescan / immunscan
In our app, you can perform various tests to analyze your mobility, mental health or immune system and receive corresponding recommendations. Depending on the respective test, different personal data of you will be processed in the process:
With the help of mobilityscan, you can analyze your mobility and then receive recommendations for improvement. Various movements or postures (e.g. shoulder mobility, one-leg stand, trunk bend, etc.) are performed and the results are analyzed using control questions.
With the help of the lifestylescan you can analyze your mental health, your health behavior and your resistance and then receive recommendations for improvement. For this purpose, you will be asked various questions about your lifestyle (e.g. your sleeping and exercise habits, etc.), your body (e.g. your body measurements, your blood pressure, etc.), personal character traits and attitudes (e.g. how you deal with your own weaknesses, your own values, etc.) as part of the respective questionnaires.
With the help of the immunscan you can analyze your immune system and receive recommendations for improvement. For this purpose, you will be asked various questions about your health (e.g. existing diseases or their frequency) and your lifestyle (e.g. your sleeping and exercise habits) as part of a questionnaire.
(ii) External scans: mescan / cardioscan / bodyscan / metabolicscan
When you perform a measurement on our mescan / cardioscan / bodyscan / metabolicscan devices at your participating facility (in the following "Scan"), you have the option to connect to your facility's vicoach Business Portal in the app (in the following "Connect") to automatically import the measurement data generated by the scan into the app via our cardioscan interface. automatically into the app via our cardioscan interface.
In order to establish a Connect, you must use the same e-mail address when registering in the app that you provided when registering in the vicoach Business Portal at your institution. As part of the registration process, your measurement data stored in the vicoach Business Portal at your facility or generated there will then be automatically imported into the app and can be viewed there by you via the app in addition to the vicoach Business Portal (cf. section 4.1 below) in order to provide you with optimum support at your facility.
You can also connect later under the menu item "Change studio" in the app settings or change the facility by scanning the QR code displayed in your facility. If you have performed a mescan, you can also directly scan the QR code displayed on the mescan to establish a Connect.
After a successful Connect - depending on the scan performed - the following data will be transmitted from your facility to us:
mescan
data category: Body Fat, Body Water, Weight, Muscle mass, Visceral fat,
Phase angle, Oxygen saturation, Training zones, Training schedule,
Training readiness, Biological age, Resting heart rate, Heart rate
variability
cardioscan
data category: Resting heart rate, Cardio Stress Index, Cardio Fit Level,
Heart rate variability
bodyscan
data category: Body Fat, Body Water, Weight, Muscle mass, Visceral fat
metabolicscan
data category: Resting Metabolic Rate, Oxygen uptake, Carbon dioxide
output, Energy delivery
You can also use the mescan / cardioscan / bodyscan / metabolicscan devices from cardioscan independently of the app. In this case, they must not create a connect between your facility and the app. Your measurement data will then be stored exclusively in the vicoach Business Portal of your facility and can only be viewed by you there.
(iii) Data import: Apple Health / Google Fit
You also have the option to import data from Apple Health or Google Fit into the app. Depending on the data categories for which you have activated the transfer in the Apple Health App or Google Fit App, the following data will be transmitted to us in this process:
b. Purpose and legal basis of the data processing
We process the usage data outlined above solely for the purpose of providing our App and its features, in particular to provide you with recommendations to improve your workouts, nutrition, regeneration and immune system. The processing of this data is necessary for the fulfillment of a contract, namely the existing usage contract with you for the provision of the app (legal basis: Art. 6 para. 1 lit. b of GDPR).
Please note that the usage data collected in our app or transmitted to us is, among other things, so-called health data within the meaning of Art. 4 No. 15 GDPR. Such data is processed exclusively on the basis of your prior, express consent (Art. 9 (2) a of the GDPR). Please note that you will not be able to fully use all functionalities of the app if you do not grant your consent or revoke it later. You have the right to refuse to give your consent or to revoke your given consent at any time with effect towards cardioscan for the future (see section 8 below).
We will not disclose your personal data to third parties, unless this is necessary to fulfill our services (legal basis: Art. 6 para. 1 lit. b GDPR), you have consented to the disclosure (legal basis: Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR) or the disclosure of data is permitted by relevant legal provisions. Your personal data may also be disclosed to third parties if we are legally obliged to do so - e.g. by court order or to fulfill legal obligations (legal basis: Art. 6 para. 1 lit. c GDPR) or if this is necessary to support criminal or legal investigations or to defend and enforce legal claims (legal basis: Art. 6 para. 1 lit. f GDPR).
n case your institution uses the vicoach Business Portal, you have the possibility to establish a Connect with the vicoach Business Portal of your institution. The results of your in-app tests (cf. section 3.5.a.(i) above) as well as the measurement data generated by means of scans (cf. section 3.5.a.(ii) above) are then shared with your institution and can be viewed there by you and your institution in addition to the app via the vicoach Business Portal of your institution in order to provide you with optimal support in your institution.
The transmission of the results of your in-app tests as well as the measurement data generated by means of scans to the institution is based on your consent given by way of the Connect (legal basis: Art. 9 para. 2 lit. a GDPR).
Please note that we have no influence on the (further) processing of your personal data by your institution. Only the terms of use and the privacy policy of your institution apply here, which is insofar responsible for the processing of your personal data under data protection law within the meaning of Art. 4 No. 7 the GDPR. For further information, please contact your institution directly.
We are entitled to outsource the processing of your personal data in whole or in part to external service providers who act for us as processors pursuant to Art. 4 No. 8 GDPR within the framework of data protection law. External service providers support us, for example, in the technical operation and support of the app, data management, and the provision and performance of services. The service providers commissioned by us process your data exclusively in accordance with our instructions. We remain responsible for the protection of your data, which is ensured by strict contractual regulations, technical and organizational measures and supplementary controls by us.
We currently use the following external service providers as processors:
This privacy policy applies to the processing of personal data by the email tool Brevo (formerly Sendinblue). Brevo is a service of Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.
We process personal data that is generated when you use our service. This includes in particular:
This data is processed for the purpose of providing and improving our service. As part of our newsletter, we also offer you the opportunity to learn about our services and offers.
You can unsubscribe at any time by clicking the appropriate link in the newsletter or by contacting our data protection officer. We do not share your personal data with third parties, unless it is necessary for the fulfillment of our contractual and legal obligations or you have previously given your consent.
Personal data will only be stored as long as it is necessary for the fulfillment of the stated purposes or as long as it is required by law.
You have the right to access, rectify or erase the personal data we hold about you, as well as the right to restrict processing and to data portability. If you have any questions or concerns about your personal data, you can contact our Data Protection Officer at any time.
We and our external service providers generally process your personal data within the European Union (EU) or the contracting states of the Agreement on the European Economic Area (EEA).
However, in individual cases, your data may also be transferred to and processed in so-called third countries outside the European Union (EU) or the contracting states to the Agreement on the European Economic Area (EEA). Some third countries are certified by the European Commission through so-called adequacy decisions as having a level of data protection that is comparable to that of the European Union (EU) or the contracting states to the Agreement on the European Economic Area (EEA). In other third countries, there may not be a level of data protection comparable to that of the European Union (EU) or the contracting states of the European Economic Area (EEA) due to a lack of legal provisions. In this case, we take care to ensure the protection of your personal data by means of suitable guarantees within the meaning of Art. 46 GDPR. You can contact us at any time using the contact options listed in section 1 above to obtain a copy of these guarantees.
If sufficient protection of your data is not possible, we will inform you at the relevant point about the respective details of the transfer and the associated data protection risk and ask for your consent to the data transfer in advance.
Your personal data will only be stored by us for as long as is necessary to achieve the purposes for which the data was collected or - insofar as statutory retention periods exist that go beyond this (e.g. in the German Commercial Code and in the German Fiscal Code) - for the duration of the legally prescribed retention period. We then anonymize or delete your personal data. Only in a few exceptional cases may your data be stored beyond this period, for example, if storage is necessary in connection with the enforcement of and defense against legal claims.
You can terminate your use of the app at any time in the app and thus delete your data. To do this, select the menu item "Settings", then "Profile" and then "Delete account" in the app settings.
In order to comply with the principle of data minimization within the meaning of Art. 5 (1) lit. e of the GDPR, we will automatically delete your data after 2 years of inactivity at the latest. We will remind you in advance of your right to transfer your data.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data that is carried out on the basis of Art. 6(1)(e) or (f) of the GDPR. We will no longer process your personal data after an objection, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (cf. Art. 21 (1) GDPR, so-called limited right of objection). The reasons arising from your particular situation must be explained by you.
If we process your data for direct marketing purposes, you may object to the processing at any time, even without giving reasons. We will then no longer process your data for these purposes.
In accordance with the applicable data protection law, you are also entitled to the following rights in particular in accordance with the legal requirements:
According to Art. 15 ff. of the GDPR, you have the right to request information about your personal data stored by us at any time. When we process or use your personal data, we strive to take reasonable steps to ensure that your personal data is accurate and up-to-date for the purposes for which it was collected. In the event that your personal data is inaccurate or incomplete, you may request that it be corrected. Furthermore, you may have the right to request the deletion or restriction of the processing of your personal data if, for example, there is no longer a legitimate business purpose for such processing in accordance with this Privacy Policy or applicable law and legal retention obligations do not require the continued storage.
Pursuant to Art. 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format or to transfer this data to another controller.
If you have consented to the collection, processing and use of your personal data, you may, pursuant to Art. 7 (3) of the GDPR, revoke your consent at any time with effect for the future, but without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.
To enforce your data protection rights, you can contact us at any time using the contact options listed in section 1 above.
In addition, you have the right to complain to the competent supervisory authority (in particular, the supervisory authority in the Member State of your residence, workplace or the place of the alleged infringement) if you believe that the processing of your personal data is not lawful. The data protection supervisory authority responsible for us is:
The Hamburg Commissioner for Data Protection and Freedom of
Information.
Ludwig-Erhard-Str. 22
20459 Hamburg, Germany
phone: +49 (0)40 428 54 - 4040
fax: +49 (0)40 428 54 - 4000
e-mail: mailbox@datenschutz.hamburg.de
In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to provide you with the app without restrictions. Personal data that we do not absolutely require for the processing purposes mentioned above are marked accordingly as voluntary.
WWe do not use automated decision-making or profiling in the sense of Art. 22 of the GDPR.
We reserve the right to change this privacy policy at any time at our own discretion in compliance with the legal requirements. This may be the case, for example, to comply with new legal provisions or to take into account new features within the app. However, we will at all times treat your personal information in accordance with whichever version of the Privacy Policy was in effect at the time we collected this information.
We will post changes to our Privacy Policy in the App under the menu item "Data & Privacy" >"Privacy Policy" so that you are fully informed about the types of personal data we collect, how we process it, and under what circumstances it may be disclosed. We therefore recommend that you check this menu item at regular intervals to find out about our current data protection practices.
Version: 5.1
Status: 20.06.2023