Version of 26.02.2024
The controller within the scope of the General Data Protection Regulation and other privacy laws applicable in the Member States of the European Union and other data protection provisions (Schengen Data Protection Act, FADP Switzerland):
Pathmate Technologies AG
Josefstr. 219
8005 Zurich
Switzerland
Pathmate Technologies GmbH
Julius-Hatry-Str. 1
68163 Mannheim
Germany
Together hereinafter referred to as "Pathmate".
Email: datenschutz@pathmate-technologies.com
Data protection tel.: +49 2505 639797
Data protection officer: Nils Möllers, Keyed GmbH
Thank you for your interest in the data processing practices of Pathmate. This privacy policy explains in detail how we collect, store and process data. It outlines which personal data Pathmate collects in conjunction with use of the MobileCoach platform (Coaching CMS, Coaching editor and coaching app) and how Pathmate processes this data.
Pathmate processes personal data on the basis of various provisions of law pursuant to Article 6(1) GDPR. We inform you about this in detail so that you can decide whether you want to consent to the processing of your data. On using the MobileCoach platform and its contents for the first time, you indicate that you understand and give your implied consent to the various purposes of this privacy policy.
The term "personal data" is defined in the German Privacy Act (Bundesdatenschutzgesetz, BDSG), the Schengen Data Protection Act (SDPA) and in the European Data Protection Regulation (EU GDPR). As defined in these sources, personal data is personal or factual information that relates to an identified or identifiable individual. This includes, for example, your civil name, your address, your telephone number or your date of birth. Use of the app may also involve the collection of special personal data, such as blood pressure or BMI. Pathmate implements stricter measures in this case to ensure an appropriate level of protection in accordance with Article 32 of the GDPR.
Insofar as we obtain the consent of the data subject for processing operations involving personal data, point (a) of Article 6(1) GDPR and point (a) of Article 9(2) GDPR serve as the legal basis for the processing of personal data.
If processing of personal data is necessary for the performance of a contract to which the data subject is party, point (b) of Article 6(1) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures or are required for support queries.
If processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, point (c) of Article 6(1) GDPR serves as the legal basis.
If processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Article 6(a) GDPR serves as the legal basis.
If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, point (f) of Article 6(1) GDPR serves as the legal basis for processing.
We group users of MobileCoach into the following categories:
a) Researchers who create digital coaching programs and surveys, and
b) Testers who use the digital coaching program and enter data into the chat a survey or other areas of the digital coaching program
Pathmate collects, stores and processes data that you provide to Pathmate or that you transmit by using and signing up for MobileCoach:
a) Contact information (for example: email address or name), whether through use or our services, interaction with the support teams, or use of the app.
b) Registration information: Researchers need a MobileCoach account to create digital coaching programs. For registration we collect email address, first and last name, and password information.
c) Digital coaching programs responses: For testers that interact with the digital coaching program via the MobileCoach app, we collect the data provided into the chat, the surveys, and other areas of the digital coaching program. We act as a processor (Art. 28 GDPR) and cannot control which data is entered into our app. If our customers ("controller" acc. to Art 4 Nr. 7 GDPR) invite other participants, they are responsible for ensuring that this has a legal basis.
d) Usage information: We collect usage information about you whenever you interact with our services. This may include which pages you visit, what you click on, when you perform those actions, what language preference you have, and so on.
e) Device and browser data: We collect information from the device and application you use to access our services, for example: IP address, operating system version, device type, device ID/MAC address, system and performance information, and browser type, and other device, network and browser signals. If you are on a mobile device we also collect the UUID for that device. We may also infer your geographic location based on your IP address.
We act as a processor (Art. 28 GDPR) and cannot control which additional data is entered into our app. If our customers ("controller" acc. to Art 4 Nr. 7 GDPR) invite other participants, they are responsible for ensuring that this has a legal basis.
We process the following personal data for the purpose of communication and processing on the basis of point (b) of Article 6(1) GDPR:
Contact information
Registration information
Digital coaching programs responses
Usage information
Device and browser data
We process the following personal data for the purpose of analysing user behaviour, optimising the app and troubleshooting on the basis of point (f) of Article 6(1) GDPR:
Usage information
Device and browser data
We may share your data with third parties who process the data on behalf of Pathmate for the processing purposes set out in this privacy policy. Our employees only have access to your data to the extent required for the fulfilment of their tasks. Arrangements are in place to ensure that contracted companies do not use your data independently, outside the scope of the contract, or pass it on to third parties. Where necessary, Pathmate has entered into data processing contracts with all such third parties in accordance with the guidelines of the European Commission, pursuant to which they undertake to comply with the data privacy rules.
If we consider it necessary in order to protect and defend our rights or property, we can also pass on your personal and health data in order to comply with the applicable laws and regulations, in case of legal proceedings, at the request of relevant courts and authorities or due to other legal obligations.
All data related to the use of the MobileCoach platform is hosted in Switzerland with a specialised server hosting company. The hosting services we use are for the provision of the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating the Pathmate system. The processor for hosting services is: gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.
Description and purpose
To be able to answer your queries as quickly as possible, we use a helpdesk (ticketing) system, which involves the use of your personal data. The helpdesk system makes it possible to sort and structure support requests, and to arrange them according to categories in order to assign them faster to the responsible persons and to always be able to keep an eye on the ticket status. We use the services of Zammad GmbH, Marienstrasse 18, 10117 Berlin to implement the helpdesk sysytem.
Legal basis
The legal basis for the processing of personal data is the legitimate interest pursuant to point (d) of Article 6(1) GDPR in the efficient processing of user enquiries.
Recipient
Recipient is Zammad GmbH, Marienstrasse 18, 10117 Berlin.
Transfer to third countries
Data is not transferred to third countries.
Duration of data retention
Data is erased as soon as it is no longer required to achieve the purpose for which it was collected. Furthermore, the data will be erased if you revoke your consent or request the erasure of your personal data.
Right to object
You have the right to object at any time to the processing of your personal data. The right to object does not affect the validity of past data processing operations.
Contractual or legal obligation
There is no contractual or legal obligation for the provision of the data.
Further data privacy information is available via the link
More information on data processing and data privacy by Zammad can be found here: https://zammad.com/en/company/privacy
Apple
If you want to receive push notifications even when you are not in our app, you must provide your consent. We ask for this when you first install (Android) or use (iOS) the app. All notifications or access options can be subsequently switched on or off in the settings menu.
For push notifications we use the services Firebase Cloud Messaging by Google (Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland) and Apple Push Notifications (Apple Inc. One Apple Park Way, Cupertino, California, USA, 95014).
In doing so, Firebase and Apple generate a calculated key (pseudonymised device token ID), which is made up of the app ID and device ID. This key is stored on our push platform with your selected settings to provide you with content tailored to your requirements. The Firebase or Apple servers cannot draw any conclusions about users' queries or determine any other data related to an individual. Firebase and Apple serve solely as intermediaries.
Legal basis
Data processing is based on our legitimate interests (point (f) of Article 6(1) GDPR) in the optimised provision of our services. In addition, you give your consent to Apple and Google locally on your device pursuant to point (a) of Article 6(1) GDPR.
Duration of data retention
Data is erased as soon as it is no longer required to achieve the purpose for which it was collected. Furthermore, the data will be erased if you revoke your consent or request the erasure of your personal data.
Further data privacy information is available via the link
Further information on Google Firebase and privacy can be found here: https://www.google.com/policies/privacy/
Further information about Apple and privacy can be found here: https://www.apple.com/privacy/
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller.
You can exercise your data protection rights at any time and obtain information about your data stored and processed by us, correct or supplement your data, object to the processing of your data or request the deletion of your personal data. You will find the contact options at the beginning of this document. You can only assert your data protection rights (information, correction, addition, objection) by specifying an individual numerical code and/or request the deletion of your data directly within the app.
You have the right to request confirmation from the controller as to whether we are processing personal data relating to you. If your personal data is being processed, you can request the following information from the controller:
the purposes for which personal data is being processed;
the categories of personal data that are being processed;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making including profiling referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on whether your personal data is transferred to a third country or an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
You have a right to correction and/or completion vis-à-vis the controller if the processed personal data relating to you is incorrect or incomplete. The controller must make the correction without undue delay.
You have the right to obtain from the controller restriction of processing where one of the following applies:
you contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
the controller no longer needs the personal data for the purposes of the processing, but you still require the data for the establishment, exercise or defence of legal claims.
you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction of processing is lifted.
You have the right to obtain from the controller the erasure of your personal data without undue delay and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:
your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
you withdraw your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
your personal data has been unlawfully processed;
your personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
your personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Where the controller has made your personal data public and is obliged pursuant to Article 17(1) GDPR to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, this personal data.
The right to erasure shall not apply to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.
If you have asserted your right to rectify or erase personal data or to restrict the processing of your data, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if requested to do so.
You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:
the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
the processing is carried out by automated means.
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This right referred shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, your may exercise your right to object by automated means using technical specifications.
You have the right to revoke your declaration of consent at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the revocation.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that concern you or similarly significantly affects you. This does not apply if the decision:
is necessary for entering into, or performance of, a contract between you and a controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (a) and (c), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Our app and any associated communication (e.g. emails) can contain links to third-party websites. We do not have any influence on the information and services on third-party websites. Nor do we have any influence on how third parties handle the data collected on their websites. We are therefore not responsible for complying with data privacy and other applicable laws with regard to third-party links in the app or any associated communication. If you have any questions on this matter, please contact the third-party providers directly.
Personal data is stored for the duration of the respective statutory retention period. After expiry of this period, the data is routinely deleted unless it is necessary for the initiation or fulfilment of a contract.
We have taken extensive technical and operational precautions to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security procedures are reviewed regularly and adapted to technological progress. Our company also ensures a consistent level of data protection through constant auditing and optimisation of the data protection organisation.
Pathmate reserves the right to change or update this privacy policy at any time. This privacy policy was created on 26.02.2024 by Keyed GmbH.