Privacy Policy coreway App & Terms of use

Date of Creation: June 4, 2024
Version 2 – This document is subject to regular review.

coreway UG
Bischoff-Keppler Straße 9
73525 Schwäbisch Gmünd
kontakt@core-way.de

Data Controller:
coreway UG
Bischoff-Keppler Straße 9
73525 Schwäbisch Gmünd

Contact:
Hanna Schuler
kontakt@core-way.de
+49 15738156657

Introduction

We, coreway UG, represented by Hanna Schuler, Selina Hörig, and Philipp Emonds, are committed to ensuring the privacy and protection of your personal data. Our data protection practices comply with the European General Data Protection Regulation (GDPR). This privacy policy explains what data we collect from you, how, for what purpose, and for how long this data is processed and stored, as well as what rights you have regarding your data.

Definitions

The privacy policy of coreway UG is based on the terminology used by the European legislator when enacting the General Data Protection Regulation (GDPR). Our privacy policy is intended to be easily readable and understandable for the public, our customers, and business partners. To ensure this, we would like to explain the terms used in advance.

We use the following terms in this privacy policy:

a) Personal Data
Personal data is any information relating to an identified or identifiable natural person (hereinafter „data subject“). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

b) Data Subject
A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for processing.

c) Processing
Processing is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

d) Restriction of Processing
Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

e) Profiling
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

f) Pseudonymization
Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data is not attributed to an identified or identifiable natural person.

g) Controller or Data Controller
The controller or data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Processor
A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

i) Recipient
A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

j) Third Party
A third party is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorized to process personal data.

k) Consent
Consent is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Purposes of Processing and Legal Basis

The goal of our health app („App“) is to collect data to enable the early detection of flare-ups in chronic inflammatory bowel disease (IBD). We collect various types of data to provide you with personalized analyses.

Registration

When registering in the app, you will be asked to provide your email address and username. Please note that first and last names are not collected, as they are not relevant to us. This approach minimizes the risk of sensitive health data being traced back to you. If you still have concerns, you are free to register using an alternative email address. Providing an email address is necessary, for example, to recover your password if you forget it.

During the registration process, you will be asked for personal information such as your diagnosis and birth year. This information is important for us to determine and update your age. In line with data minimization, we do not require your full date of birth. Additional data collected includes your gender, the average number of flare-ups per year, symptoms during a flare-up, and known flare triggers. Some of this data constitutes sensitive health information.

As we plan to further develop the app by integrating an algorithm for early detection of flare-ups based on heart rate variability (HRV), we ask you to specify which device you use to measure HRV. Furthermore, we require information about the medications you take and any additional medical conditions you may have. All this information is relevant for us to make an informed estimate of how your HRV may be affected by these factors.

During registration, we process the following data:

  • Username
  • Email
  • Password
  • IBD diagnosis
  • Gender
  • Birth year
  • Average flare-ups per year
  • Symptoms
  • Flare triggers
  • Medication intake
  • Additional medical conditions

In your profile, you can update the following data at any time:

  • Change your username
  • Change your password
  • Update your account information
  • Delete your account (all data will be automatically deleted)

Data After Registration

After successful registration, you can log in using your email and password. To make the best use of our app, we ask you to enter a daily measurement for the following parameters:

You can either manually conduct an HRV measurement each day or enter the average HRV value if your smartwatch supports this function. Following the measurement, we ask for additional details about your current health status. This includes information on:

  • Current complaints on a scale of 1 to 10
  • Specific symptoms
  • Sleep quality
  • Stress level
  • Dietary habits
  • Smoking habits
  • Alcohol consumption
  • Consumption of caffeinated beverages
  • Additional health conditions such as a current cold

Furthermore, we are interested in:

  • Physical activity
  • Psychological stress
  • Additional medications

These data points are particularly important to us as they, alongside inflammatory markers, can also influence HRV.

Our project is based on current scientific studies, which indicate that HRV changes when inflammation levels increase. To establish our own „proof of concept“ and provide evidence-based validation, we require these data. The evaluation of this information by a developer is essential for creating an algorithm and artificial intelligence that will eventually allow the app to inform you of your current risk of a flare-up based on your HRV.

After registration, we process the following data:

  • Sleep quality
  • Stress level
  • Diet
  • Physical activity
  • Daily heart rate variability
  • Disease activity
  • Symptoms
  • Influencing factors such as smoking, alcohol consumption, other health conditions
  • Caffeine intake
  • Mental health concerns
  • Additional medications

Data from Wearables

We use the Tryterra API to collect data from connected wearables to measure heart rate variability (HRV) and other health metrics such as stress, sleep, and physical activity. Additional consent is required for this processing. The processing of data from other wearables can be disabled at any time in the app under „Account“ → „Update Account“ → „Link Wearable.“

Push Notifications

To remind you of your daily measurements, we will send push notifications to your smartphone. These notifications can be disabled at any time within the app. Push notifications must be explicitly activated and are completely voluntary. You can disable them at any time in your account settings within the app.

Anonymization of Data and Further Processing for Research and Development

We anonymize and aggregate the data collected in connection with app usage. The anonymized data is then used for our own research and development purposes related to health data collection, specifically to determine whether flares of chronic inflammatory bowel disease (IBD) can be detected early through the analysis of heart rate data and other health metrics.

External developers may also receive anonymized data to further improve the algorithm.

Legal Basis for Data Processing

The data is collected to enable early detection of IBD flare-ups. Processing your data serves the purpose of improving app functionality y developing an algorithm to predict disease flare-ups. Additionally, we may provide you with a personalized analysis via encrypted email.

Furthermore, we process your personal data related to your app usage to:

  • Improve and develop our app and services
  • Perform data analysis y process comparison
  • Ensure IT security

Before using these data, we remove personal identifiers as much as possible and use the data in an aggregated form. Finally, we anonymize and aggregate the data collected from app usage for research and development purposes, particularly in relation to early detection of IBD flares through heart rate and health data analysis.

Legal Basis for Processing Sensitive Health Data

As we collect and process sensitive health data within the scope of the aforementioned purposes, we rely on your explicit and informed consent in accordance with Article 6(1)(a) and Article 9(2)(a) of the GDPR. Your consent is obtained during the app registration process and stored for the duration of your app usage.

Processing of Non-Health Personal Data

We also process your non-health-related personal data to:

  • Fulfill the contract for app usage
  • Communicate with you
  • Provide support
  • Resolve technical or other issues
  • Generate app reports and analyses

This processing is based on:

  • Article 6(1)(b) GDPR (for the performance of contractual or pre-contractual measures)
  • Article 6(1)(f) GDPR (for our legitimate interest in ensuring the app and our services function securely and without errors)

Summary of the Legal Basis for Data Processing

Article 6(1)(a) GDPR (in conjunction with Article 9(2)(a) GDPR, where health data is concerned) serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is required for the performance of a contract to which you, as the data subject, are a party—such as processing necessary for the delivery of goods or the provision of a service—then the processing is based on Article 6(1)(b) GDPR. This also applies to pre-contractual measures, such as inquiries about our products or services.

If our company is subject to a legal obligation that requires the processing of personal data—such as compliance with tax obligations—then processing is based on Article 6(1)(c) GDPR (in conjunction with Article 9(2)(g) GDPR, where health data is involved).

In rare cases, processing may be necessary to protect vital interests of the data subject or another natural person. For example, if a visitor is injured at our premises and their name, age, health insurance details, or other critical information must be provided to a doctor or hospital, processing would be based on Article 6(1)(d) GDPR (in conjunction with Article 9(2)(c) GDPR, where health data is affected).

Finally, processing may be based on Article 6(1)(f) GDPR. This applies to processing operations not covered by the above legal bases, provided that processing is necessary to safeguard a legitimate interest of our company or a third party, unless the interests, fundamental rights, and freedoms of the data subject outweigh these interests. The European legislator explicitly recognizes this principle, stating that a legitimate interest may be presumed if the data subject is a customer of the controller (Recital 47, Sentence 2 GDPR).

Legal or Contractual Requirement to Provide Personal Data; Necessity for Contract Conclusion; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of Non-Provision

We inform you that the provision of personal data may be legally required (e.g., due to tax regulations) or may arise from contractual provisions (e.g., details regarding a contract partner).

In some cases, providing personal data is necessary for entering into a contract, and such data must subsequently be processed by us. As a data subject, you are required to provide personal data when entering into a contract with us. Failure to provide this data would mean that we cannot enter into a contract with you.

Additionally, if you do not provide personal data, the functionality of the app and our services may be partially or completely restricted.

Data Storage

Your data is stored in a pseudonymized manner. We only require a username and do not collect real names to protect your privacy. However, it should be noted that the use of email addresses could allow for identification of an individual.

Data Security

The data is stored in a database within the European Union. No full names or birthdates are collected. Pseudonymization is applied using an ID system to ensure data security.

Only fully anonymized data is used in the algorithm, ensuring that it is not possible to trace any information back to a specific individual.

Use of Firebase

Data is stored in the backend using Firebase, a Google Cloud provider. The Firebase database is located in Europe to comply with European data protection standards. A data processing agreement (DPA) under Article 28 GDPR exists between us and Firebase. This agreement ensures that Firebase only processes personal data according to our instructions.

Upon successful registration, each data subject is assigned an ID to maintain anonymity.

Firebase processes the following data:

  • Number of users and sessions
  • Session duration
  • Device model and operating system
  • First app launch
  • Provision of app updates
  • Technical information about your browser and devices (e.g., language settings, screen resolution)

Firebase, as a Google service provider, operates under its own privacy policies.
For further information, please visit:
🔗 Firebase Privacy Support
🔗 Google Analytics Privacy & GDPR Compliance
🔗 Google Analytics Privacy Policy
🔗 Google Privacy Policy

Data Retention Period

According to Article 5(1)(e) GDPR, personal data must not be stored longer than necessary for the purposes for which it was collected. Therefore, we only store your data as long as you continue to use our app.

It is important to note that once data is anonymized, the GDPR no longer applies, and there is no time limit for data storage. This is the case when your data has been fully anonymized and integrated into the algorithm.

Your data will be stored as long as your account remains active and you use the app.

If you request data deletion, all your stored personal data will be deleted. However, data that has already been processed anonymously within the algorithm cannot be removed, as it is completely anonymized and untraceable.

Data Subject Rights

  • Right of Access: You have the right to obtain, at any time and free of charge, information about the personal data stored about you, its origin, recipients, and the purpose of data processing.
  • Right to Rectification: If your personal data is inaccurate or incomplete, you have the right to request correction of your personal data.
  • Right to Erasure: Also known as the „right to be forgotten,“ this right allows you to request the deletion or removal of your personal data when there is no compelling reason for us to continue using it. This is not a general right to erasure; there are exceptions. For example, we may have the right to continue using your personal data if such use is necessary for compliance with our legal obligations or for the establishment, exercise, or defense of legal claims.
  • Right to Restrict Processing: This right allows you to suspend the use of your personal data or limit the ways in which we can use it. Please note that this right is limited to specific situations: If we process personal data collected with your consent, you can request a restriction only in the following cases: (a) you dispute the accuracy of the personal data; (b) our processing is unlawful, and you do not want your personal data to be deleted; (c) you need the data for legal claims, or (d) you have objected to the processing, and it is not yet determined whether your legitimate reasons outweigh our legitimate interests. If processing is restricted, we may still store the data but may not further process it. We maintain lists of individuals who have requested a restriction on the use of their personal data to ensure that the restriction is respected.
  • Right to Data Portability: The right to request that we provide your personal data in a structured, commonly used, and machine-readable format so that you can transfer this data to another controller without hindrance from us.
  • Right to Object: The right to object to our use of your personal data.
  • Right to Information: The right to receive clear, transparent, and easily understandable information about how we use your personal data.
  • Right to Withdraw Consent: If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time. However, withdrawing your consent does not affect the lawfulness of the processing carried out based on your consent before the withdrawal. The processing of data prior to withdrawal remains lawful. Exercising these rights is free of charge, but you are required to verify your identity.

To submit a request or exercise any of the rights outlined in this privacy policy and/or to file a complaint, please contact us via email at kontakt@core-way.de or by mail. We will make every effort to respond within 30 days. Our contact details can be found at the beginning of this privacy policy.

Right to Lodge a Complaint

You have the right to lodge a complaint with us (see contact details below) or with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or the location where the alleged violation occurred.

If we receive formal written complaints, we will contact the complainant to address the complaint. We cooperate with the relevant data protection authorities, including the locally competent data protection authority, to resolve any complaints that we cannot resolve directly.

En competent data protection authority is:

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg
Königstrasse 10 a
70173 Stuttgart, Germany
🔗 www.baden-wuerttemberg.datenschutz.de

Automated Decision-Making

The personal data we collect and process is not subject to automated individual decision-making by us.

Changes to the Privacy Policy

You will be notified in the app about updates to the privacy policy.

Contact for Data Protection Inquiries

For any data protection inquiries, please contact us at kontakt@core-way.de.

Terms of Use

1. Subject of the Terms of Use

1.1. These Terms of Use apply to the use of the coreway App („App“). The App is a service provided by coreway UG, Bischoff-Keppler-Str. 9, 73525 Schwäbisch Gmünd, kontakt@core-way.de, +49 1573 8156657 („coreway“).

1.2. By installing and activating the App through the creation of a user account and accepting these Terms of Use, a contract („Usage Agreement“) is established between coreway and the user of the App („User“) regarding the use of the App.

1.3. The legal relationship between coreway and the User under the Usage Agreement is governed exclusively by these Terms of Use. Other terms of use do not apply.

2. The App

2.1. The App collects the User’s heart rate data, which is then analyzed by coreway. The analyzed data is made available to the User. Additionally, the data is used in anonymized form for research purposes, particularly for the study of flare-ups in chronic inflammatory bowel diseases.

2.2. En provision of collected data to the User is for informational purposes only and does not constitute a medical diagnosis or any other assessment of the User’s health status. Any interpretation of the data is at the User’s own risk. Users are strongly advised not to make any medical decisions based on the provided data without first consulting a doctor.

2.3. The App is a free and voluntary service offered by coreway. coreway reserves the right to modify or discontinue the App at any time, or to introduce paid features. If a paid version is introduced, a new contract must be concluded for continued use.

2.4. Information about compatible devices, software, and operating systems can be found in the App, on the coreway website, and in app stores where the App is available for download.

3. Use of the App

3.1. To use the App, the User must create a user account. After installing the App, the User can go through the registration process and complete it by clicking the „Register“ button. A confirmation will then be sent to the provided email address. Before completing the registration, any input errors can be corrected in the registration form. After registration, changes can be made through the user account settings.

3.2. En user account is password-protected. The User must keep the password confidential y not share it with anyone. If the password is lost, the User must immediately inform coreway so that a new password can be generated. This can also be done via the „Forgot Password“ function on the login page of the App.

3.3. The use of the user account is permitted only for the registered User. Using another person’s account may distort measurement results and is not permitted.

3.4. En User is only permitted to use the App within the agreed contractual scope and in compliance with applicable laws and regulations. The User is prohibited from:

(i) Using the App to store or transmit infringing, defamatory, illegal, or unauthorized content or any material that violates the rights of third parties.
(ii) Using the App to store or transmit malicious code.
(iii) Interfering with or disrupting the integrity or performance of the App or third-party data contained within it.
(iv) Attempting to gain unauthorized access to the App or any related systems or networks.
(v) Allowing direct or indirect access to the App or its use in any way that circumvents contractual usage restrictions.
(vi) Copying the App or any parts, features, functions, content, or user interface, unless required for the intended use of the App under this contract (e.g., loading the App onto a temporary storage medium).
(vii) Framing any part of the App.
(viii) Accessing the App to create a competing product or service.
(ix) Reverse engineering the App (unless legally permitted).

3.5. En User is liable for any damages resulting from violations of their obligations, including reasonable legal costs. This does not apply if the User is not responsible for the violation.

If there is reasonable suspicion of a serious violation, coreway is entitled to temporarily suspend access to the App or the user account. Access will be restored once the issue is resolved.

4. Duration of the Usage Agreement

4.1. En Usage Agreement is concluded for an indefinite period and may be terminated by either party at any time without notice. The User can terminate the Usage Agreement via their user account by deactivating the account.

4.2. Upon termination of the Usage Agreement, the User is required to stop using the App and, upon request by coreway, delete the installed App from their device.

4.3. In the event of termination, any provisions that, by their nature and purpose, are intended to survive termination shall remain in effect. This particularly applies to provisions regarding intellectual property rights and licenses, warranties, liability, data protection, and final provisions.

5. Warranty

En User acknowledges that the App is provided as a free service. Therefore, warranty rights for the App are excluded.

coreway is not obligated to correct errors or malfunctions of the App or to provide updates or patches. There is no guarantee of the App’s continuous availability.

6. Liability

6.1. coreway is liable for damages in accordance with statutory provisions. coreway shall be liable for damages—regardless of the legal basis—only in cases of intent and gross negligence.

For simple negligence, coreway’s liability is limited to foreseeable and typical damages, provided that the breached obligation is essential to fulfilling the contract (i.e., an obligation whose fulfillment is necessary for the proper execution of the contract and on which the User regularly relies).

For simple negligence in the violation of non-essential contractual obligations, coreway shall not be liable.

6.2. En limitations of liability outlined above do not apply in the following cases:

a) Damages resulting from injury to life, body, or health, which are caused by a negligent breach of duty by coreway or a deliberate or negligent breach of duty by a legal representative or vicarious agent of coreway.
b) If coreway has fraudulently concealed a defect.
c) If coreway has provided a guarantee for the quality of a product or service.
d) For claims under the German Product Liability Act (Produkthaftungsgesetz).

6.3. coreway is not liable for indirect damages (e.g., lost profits, business interruptions, consequential damages).

6.4. En User is responsible for properly backing up data stored on their device and for regularly creating backups.

Liability for data loss is limited to the damage that would have occurred if the User had properly backed up their data.

7. Statute of Limitations

7.1. En limitation period for claims based on material and legal defects is one (1) year from the date of delivery or service. If an acceptance procedure has been agreed upon, the limitation period begins upon acceptance.

7.2. En limitation period for contractual and non-contractual damages claims is one (1) year from the start of the statutory limitation period.

7.3. En statutory limitation periods apply, overriding the above provisions, in cases where they are legally mandatory, as well as in cases of intent or gross negligence and in the scenarios specified in Section 6.2.

8. Intellectual Property and Use of Data

8.1. En App is the intellectual property of coreway. coreway retains all rights to the App. Rights to the App are only granted to the extent explicitly specified.

8.2. coreway grants the User a non-exclusive, non-transferable, and non-sublicensable right to use the App in accordance with these Terms of Use. No exclusive rights to the App are granted. The User may not use or exploit the App in any way that is not covered by the agreements with coreway. The right to use the App automatically expires upon termination of the Usage Agreement.

8.3. En User may modify the App only with prior written consent from coreway y where legally required under Sections 69 et seq. of the German Copyright Act (UrhG).

8.4. En User receives the App only in object code form. There is no right to access the source code.

8.5. coreway is permitted to use the data generated by the App in anonymized and/or aggregated form for its own purposes. However, coreway may not provide non-aggregated or non-anonymized data to third parties.

9. Right of Withdrawal

9.1. Right of Withdrawal

You have the right to withdraw from this contract within fourteen days without providing any reason. The withdrawal period is fourteen days from the date of contract conclusion.

To exercise your right of withdrawal, you must inform us—coreway UG, Bischoff-Keppler-Str. 9, 73525 Schwäbisch Gmünd, kontakt@core-way.de, +49 1573 8156657—by means of a clear statement (e.g., a letter sent by post or an email) regarding your decision to withdraw from this contract. You may use the attached sample withdrawal form, but this is not mandatory.

To meet the withdrawal deadline, it is sufficient for you to send your notification before the withdrawal period expires.

9.2. Consequences of Withdrawal

If you withdraw from this contract, we will refund all payments received from you, including delivery costs (except for any additional costs resulting from your choice of a delivery method other than the least expensive standard delivery we offer), without undue delay and no later than fourteen days from the date we receive notice of your withdrawal.

For the refund, we will use the same payment method you used for the original transaction unless expressly agreed otherwise. In no case will you be charged fees for this refund.

Sample Withdrawal Form

(If you wish to withdraw from the contract, please fill out this form and return it.)

To:
coreway UG
Bischoff-Keppler-Str. 9
73525 Schwäbisch Gmünd, Germany

I/We () hereby withdraw from the contract concluded by me/us () regarding the provision of the following service: _________________

  • Ordered on (*): _________________
  • Nombre del consumidor o consumidores: _________________
  • Dirección del consumidor o consumidores: _________________
  • Firma del consumidor o consumidores (sólo para notificaciones en papel): _________________
  • Date: _________________

(*) Táchese lo que no proceda.

10. Data Protection

La prestación de la App y el tratamiento de los datos recogidos a través de la App se llevan a cabo en cumplimiento de la legislación sobre protección de datosen particular el GDPR and the BDSG (Ley Federal Alemana de Protección de Datos). Encontrará más detalles sobre el tratamiento de datos personales en el Privacy Policy.

11. Jurisdiction

Si ambas partes de este contrato comerciantes, personas jurídicas de derecho público o fondos especiales de derecho público, the fuero exclusivo será el domicilio social de coreway. Sin embargo, coreway también tiene derecho a emprender acciones legales ante el Jurisdicción general del usuario.

12. Applicable Law

La relación contractual se rige por la leyes de la República Federal de Alemaniaexcluyendo Derecho internacional privado alemán and the Convención de las Naciones Unidas sobre los Contratos de Compraventa Internacional de Mercaderías (CISG) de 11 de abril de 1980.

13. Miscellaneous

13.1. Existen sin acuerdos verbales. Any changes or additions to these Terms of Use must be made in writing (§ 126 BGB – German Civil Code). This also applies to any waiver of the written form requirement.

13.2. coreway is entitled to transfer the contract, including all rights and obligations, to an affiliated company or a legal successor.

13.3. If one or more provisions of these Terms of Use are found to be invalid, void, or incomplete, the validity of the remaining provisions remains unaffected. The parties shall replace the invalid or void provision or fill the contractual gap with a provision that best fulfills the intended economic purpose.

If the invalidity of a provision is due to a performance or time measure (such as a deadline or date), the legally permissible alternative shall apply.

13.4.
En EU Commission has set up an online dispute resolution (ODR) platform for disputes between businesses and consumers. The ODR platform is available at:
🔗 https://ec.europa.eu/consumers/odr/

coreway is not willing to participate in a dispute resolution procedure under the VSBG (German Consumer Dispute Resolution Act).

Póngase en contacto con nosotros
Scroll al inicio