Privacy Policy

Of the digital health application somnio

Last updated on 3. Feb. 2025

1 Purpose, scope and general information

The privacy policy applies to the somnio application or app. The app somnio is used for the treatment of sleep onset and sleep maintenance disorders

Internet access must be available to use the app. The use of internet-based services generally involves a certain security risk, which we minimize on our part. However, we cannot completely address all risks.

We use third-party libraries and software. These are used as sparingly as possible and are monitored regularly by us.

2 Tips on how to maximize the protection of your data

use an email address that does not reveal any personell details (e.g. pm1234@test.de instead of peter.mueller@test.de)
the same applies for your self-chosen username (e.g. Superstar instead of Petra)
To be safe that no data are left in the RAM after closing the application, please restart or shut down your device. Data left in the RAM cannot be protected anymore and may be read by third parties with access to your device
Tips from the Federal Office for Information Security (BSI): Basic IT security tips

3 Collection of general Information

For what? To display the application correctly, to connect to the application and to detect and defend against attacks

What information? IP address, Information about the device used

Legal basis Art. 6 para. 1 lit. f GDPR, the legitimate interest lies in the protection of our application, as well as in the correct presentation of the app

You can object to this processing. To do so, please write to dataprivacy@mementor.de.

Deletion period IP addresses are stored for 10 days, Data of the devices used immediately after fulfilling the purpose

Service provider no

4 Prescription transfer service (optional)

For what? We take care of submitting the prescription to your health insurance company. You upload your prescription, we send it electronically (if possible) or by post to your health insurance company, you will receive the activation code.

At the same time, an account will be created (see next point) so that you retain full control over your data.

What information? address details, email address, telephone number (optional), health insurance company, picture of the prescription with insurance number and name

Legal basis Art. 9 para. 2 p. 1 lit. a GDPR (consent can be revoked at any time)

Deletion period immediately after redeeming the license code through the account or after a maximum of 30 days

Service provider Letter delivery: LetterXpress, provided by A&O Fischer GmbH & Co. KG, Maybachstraße 9, 21423 Winsen (Luhe), Germany

5 Sleep training

a) Account creation

For what? Create an account for the application

What information? email address, passkey (How do Passkeys work? ; German) or email address, password

Legal basis Art. 6 para.1 p. 1 lit. a GDPR (consent can be revoked at any time)

Deletion period 30 days after creation (if no license code is used)

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

The consequence of the transfer is the storage of the email address on RDS (service of Amazon Web Services) in Frankfurt (Main), Germany

The consequence of the transfer is that the email address is stored on RDS (service from Amazon Web Services, Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109. United States) in Frankfurt (Main), Germany - despite a contractual assurance from Amazon Web Services that all data remains in Germany, a transfer of the email address and passkey to a third country cannot be completely ruled out. However, logging into our application is only possible with the additional key on your device. The passkey alone is useless, so only your email address would be affected in the event of a data leak.

b) Code redemption

For what? To start sleep training and to bill the service to your health insurance company or private health insurance: We send the entered code to an interface of the health insurance company, or verify it with your private health insurance company to check that the code is genuine and up to date. If you have purchased somnio yourself, we check whether the code was issued by us.

What information? activation code, email address, passkey (How do Passkeys work? ; German) or only activation code and registration date if an account has already been created

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR (consent can be revoked at any time)

Deletion period 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

c) Log in

For what? You must log in before every time before using the application.

What information? email address, passkey (How do Passkeys work? ; German) or health ID or email address, password

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Deletion period no storage

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transmitted for processing and will then be deleted immediately.

d) Sleep training with somnio

For what? Independent progress monitoring, personalization of training

What information? self-chosen username, gender, age, health data on sleep times, sleep behavior, information on personal medical conditions, consumption of relevant substances such as alcohol and caffeine, subjective perception of performance and mood, prior knowledge, progress in the application

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Service provider no

e) Activity trackers (optional)

For what? Transfer of fitness tracker measurements to the application

What information? health data on sleep times and sleep behavior

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Service provider fitness tracker connection: Thryve by mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

f) E-mails

For What? Sending reminder emails, registration emails, system emails, communication in special cases (security corrective measures)

What information? email address, self-chosen username

Legal basis Art. 6 para.1 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGaV (consent can be revoked at any time)

Deletion period data will only be stored for as long as it is necessary for processing

Service provider provider for sending emails: Sendinblue of the company Newsletter2Go GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

g) Medical report (optional)

For What? Create, export and send the medical report so that the healthcare professional can check your current status

What information? Aggregated therapy data: module progress, course of clinically relevant parameters, self-selected user name

In case of transmission of the access code by email: your email address, the email address of your practice - we always create a secure link that you can remove at any time, the email is pre-formulated and must be sent by you

If you export the medical report, you are responsible for the security of this report, so please share it only with authorized people and delete it if it is no longer needed.

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (implied consent, revocable at any time)

Deletion period At the latest with the deletion of your account, 30 days after license expiration

Service provider no

h) Writing in the Electronic patient record (optional)

For What? Export of usage data to the electronic patient record, either manually or regularly automated - where available

What information? Usage data: sleep behavior, clinically relevant parameters

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGaV (consent can be revoked at any time) - You must actively confirm the export

Deletion period no storage of data by mementor

Service provider Access to the ePA service: MEDKONNEKT GmbH, Schleißheimer Straße 91A, 85748 Garching b. München, Germany. Data will only be transferred for processing and then deleted immediately.
provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transferred for processing and then deleted immediately.

i) Contacting support (optional)

For What? If you would like to contact us directly and need human support for technical problems or have questions about program content

What information? email address

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 6 para.1 p. 1 lit. c GDPRArt. and § 4 para. 2 p. 1 DiGaV (implied consent, can be revoked at any time) - You write to us

Deletion period Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Service provider no

j) Make an appointment for a support call (optional)

For What? If you would like to contact us directly and need human support for technical problems or have questions about program content and if you want to do this by phone, you can book a support call

What information? name, email address, telephone number

Legal basis Art. 6 para.1 p. 1 lit. a GDPRand § 4 para. 2 p. 1 DiGaV ((implied consent, can be revoked at any time) - You book an appointment with us

Deletion period Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Service provider appointment booking tool: Calenso. provider is Braincept AG, Neuenkirchstrasse 19, 6203 Sempach-Station, Switzerland, Europe (website: https://calenso.com/en/)
The data is transmitted to Calenso and stored there until the support call.

k) Anonymization of data to improve the service and to demonstrate the ongoing suitability of the application

For What? Since we do not want to store personal data permanently, but still have obligations to provide evidence in the post-market surveillance of a health application, we have to evaluate data

Legal basis Art. 6 para.1 p. 1 lit. a GDPR, Art. 6 para.1 p. 1 lit. c GDPRArt. and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Deletion period no storage of personal data, Data for the evaluation of modules in general are only stored anonymously, unless you explicitly want to be contacted afterwards, in which case the information will be used for a support request (see point i).

Service provider no

6 Other data processors

a) hosting provider

For What? In order for our application to work, it must be hosted. This includes the storage and processing of all data that is not processed directly on the end device

For What? All server-side processing of data, as well as the storage of data, including health data

Legal basis Art. 6 para.1 p. 1 lit. a GDPRand § 4 para. 2 p. 1 DiGAV

Löschfristen 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Service provider IONOS Cloud, provided by IONOS SE, Elgendorfer Str. 57. 56410 Montabaur (Server location Germany)
By using IONOS, all processed and stored data is transferred to the IONOS data center. IONOS has a variety of security measures in place to guarantee that your data is safe there. You can find more information at Data Protection and Cloud Security | IONOS.

7 Cookies

somnio uses so-called cookies. These are text files that are stored on your device from the server. Cookies are used in somnio to store session data after logging into the program. We would like to point out that this may involve certain risks. To ensure that your session cannot be hijacked by third parties, we recommend that you log out after each use of somnio.

8 Your rights

You can exercise the following rights by sending an email to support@mementor.de

You have the right to:

Information about your personal data processed by us in accordance with Art. 15 GDPR,
demand the immediate correction of incorrect or completion of your personal data stored by us in accordance with Art. 16 GDPR,
Deletion of your personal data stored by us in accordance with Art. 17 GDPR,
the restriction of the processing of your personal data in accordance with Art. 18 GDPR,
receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller in accordance with Art. 20 GDPR,
Complaint to a supervisory authority pursuant to Art. 77 GDPR,
Revocation of consent granted in accordance with Art. 7 para. 3 GDPR.

9 Privacy policy changes

We reserve the right to amend the privacy policy in the event of changes in legal requirements or updates on our part. If you are already registered at that time, you will be informed.

10 Contact information

Responsible body in the sense of data protection law
mementor DE GmbH
Karl-Heine-Strasse 15
04229 Leipzig
Germany
info@mementor.de

Contact details of the data protection officer
mementor DE GmbH
Datenschutz
Karl-Heine-Strasse 15
04229 Leipzig
Germany
dataprivacy@mementor.de