Privacy Policy

Of the digital health application somnio

Last update 17 March 2026

1 Purpose, scope and general information

The privacy policy applies to the somnio application or app. The app somnio is used for the treatment of sleep onset and sleep maintenance disorders

Internet access must be available to use the app. The use of internet-based services generally involves a certain security risk, which we minimize on our part. However, we cannot completely address all risks.

We use third-party libraries and software. These are used as sparingly as possible and are monitored regularly by us.

Additional clauses apply for residents of certain U.S. jurisdictions, see paragraph 11.

2 Tips on how to maximize the protection of your data

Use an email address that does not reveal any personell details (e.g. pm1234@test.de instead of peter.mueller@test.de)
The same applies for your self-chosen username (e.g. Superstar instead of Petra)
To be safe that no data are left in the RAM after closing the application, please restart or shut down your device. Data left in the RAM cannot be protected anymore and may be read by third parties with access to your device
Activate the standard device protection of your end device (PIN, pattern lock or similar)
Keep your software updated
Keep your operating system updated
Use encrypted network connections, use a VPN if necessary
Save sensible data only on trustworthy devices
Tips from the German Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/cyber-sicherheitsempfehlungen_node.html
Never log in from a public end device
Delete cookies periodically
Do not close the application without logging out
Verify if any notifcations are really necessary
If you notice any bug or something seems off, please refer to our support immediately

3 Collection of general Information

Purpose: To display the application correctly, to connect to the application and to detect and defend against attacks

Data categories: IP address, Information about the device used

Legal basis: Art. 6 para. 1 lit. f GDPR, the legitimate interest lies in the protection of our application, as well as in the correct presentation of the app

You can object to this processing. To do so, please write to dataprivacy@mementor.de.

Retention period: IP addresses are stored for 10 days, Data of the devices used immediately after fulfilling the purpose

Provider: None

4 Prescription transfer service (optional)

Purpose: We take care of submitting the prescription to your health insurance company. You upload your prescription, we send it electronically (if possible) or by post to your health insurance company, you will receive the activation code.

At the same time, an account will be created (see next point) so that you retain full control over your data.

Data categories: address details, email address, telephone number (optional), health insurance company, picture of the prescription with insurance number and name

Legal basis: Art. 9 para. 2 p. 1 lit. a GDPR (consent can be revoked at any time)

Retention period: immediately after redeeming the license code through the account or after a maximum of 90 days

Provider: Letter delivery: LetterXpress, provided by A&O Fischer GmbH & Co. KG, Maybachstraße 9, 21423 Winsen (Luhe), Germany

5 Sleep training

a) Account creation

Purpose: Create an account for the application

Data categories: email address, passkey or email address, password

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR (consent can be revoked at any time)

Retention period: 30 days after creation (if no license code is used)

Provider: provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

The consequence of the transfer is that the email address is stored on RDS (service from Amazon Web Services, Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109. United States) in Frankfurt (Main), Germany - despite a contractual assurance from Amazon Web Services that all data remains in Germany, a transfer of the email address and passkey to a third country cannot be completely ruled out. However, logging into our application is only possible with the additional key on your device. The passkey alone is useless, so only your email address would be affected in the event of a data leak.

b) Code redemption

Purpose: To start sleep training and to bill the service to your health insurance company or private health insurance: We send the entered code to an interface of the health insurance company, or verify it with your private health insurance company to check that the code is genuine and up to date. If you have purchased somnio yourself, we check whether the code was issued by us.

Data categories: activation code, email address, passkey or only activation code and registration date if an account has already been created

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR (consent can be revoked at any time)

Retention period: 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Provider: provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

c) Log in

Purpose: You must log in before every time before using the application.

Data categories: email address, passkey or health ID or email address, password

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Retention period: no storage

Provider: provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

Provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transmitted for processing and will then be deleted immediately.

d) Sleep training with somnio

Purpose: Independent progress monitoring, personalization of training

Data categories: self-chosen username, gender, age, health data on sleep times, sleep behavior, height, weight, information on personal medical conditions, consumption of relevant substances such as alcohol and caffeine, subjective perception of performance and mood, prior knowledge, progress in the application

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Provider: None

e) Activity trackers (optional)

Purpose: Transfer of fitness tracker measurements to the application

Data categories: health data on sleep times and sleep behavior

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Provider: fitness tracker connection: Thryve by mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

f) E-mails

Purpose: Sending reminder emails, registration emails, system emails, communication in special cases (security corrective measures)

Data categories: email address, self-chosen username

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGaV (consent can be revoked at any time)

Retention period: data will only be stored for as long as it is necessary for processing

Provider: provider for sending emails: Sendinblue of the company Newsletter2Go GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

g) Medical report (optional)

Purpose: Create, export and send the medical report so that the healthcare professional can check your current status

Data categories: Aggregated therapy data: module progress, course of clinically relevant parameters, self-selected user name

In case of transmission of the access code by email: your email address, the email address of your practice - we always create a secure link that you can remove at any time, the email is pre-formulated and must be sent by you

If you export the medical report, you are responsible for the security of this report, so please share it only with authorized people and delete it if it is no longer needed.

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV (implied consent, revocable at any time)

Retention period: At the latest with the deletion of your account, 30 days after license expiration

Provider: None

h) Writing in the Electronic patient record (optional)

Purpose: Export of usage data to the electronic patient record, either manually or regularly automated - where available

Data categories: Usage data: sleep behavior, clinically relevant parameters

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGaV (consent can be revoked at any time) - You must actively confirm the export

Retention period: no storage of data by mementor

Provider: Access to the ePA service: MEDKONNEKT GmbH, Schleißheimer Straße 91A, 85748 Garching b. München, Germany. Data will only be transferred for processing and then deleted immediately.
provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transferred for processing and then deleted immediately.

i) Contacting support (optional)

Purpose: If you would like to contact us directly and need human support for technical problems or have questions about program content

Data categories: email address

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 6 para.1 p. 1 lit. c GDPR Art. and § 4 para. 2 p. 1 DiGaV (implied consent, can be revoked at any time) - You write to us

Retention period: Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Provider: None

j) Make an appointment for a support call (optional)

Purpose: If you would like to contact us directly and need human support for technical problems or have questions about program content and if you want to do this by phone, you can book a support call

Data categories: name, email address, telephone number

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGaV ((implied consent, can be revoked at any time) - You book an appointment with us

Retention period: Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Provider: appointment booking tool: Calenso. provider is Braincept AG, Neuenkirchstrasse 19, 6203 Sempach-Station, Switzerland, Europe (website: https://calenso.com/en/ )
The data is transmitted to Calenso and stored there until the support call.

k) Anonymization of data to improve the service and to demonstrate the ongoing suitability of the application

Purpose: Since we do not want to store personal data permanently, but still have obligations to provide evidence in the post-market surveillance of a health application, we have to evaluate data

Data categories: self-chosen username, gender, age, health data on sleep times, sleep behavior, information on personal medical conditions, consumption of relevant substances such as alcohol and caffeine, subjective perception of performance and mood, prior knowledge, progress in the application

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR, Art. 6 para.1 p. 1 lit. c GDPR Art. and § 4 para. 2 p. 1 DiGAV (consent can be revoked at any time)

Retention period: no storage of personal data, Data for the evaluation of modules in general are only stored anonymously, unless you explicitly want to be contacted afterwards, in which case the information will be used for a support request (see point i).

Provider: None

l) Collection of data for continuous improvement

Purpose Since we want to continuously improve our applications, we request feedback on modules or other content within the application.

Data categories: Free-text entries, ratings

Legal basis: Art. 6 para.1 p.1 lit. a GDPR and § 4 para.2 p.1 DiGAV (consent, revocable at any time) – consent is generally obtained within the module flow.

Retention period: Only personal data that has a further impact on therapy is stored; this data is anonymized or deleted no later than when your account is deleted, i.e., 30 days after the license expires. All other data is collected without any personal reference.

Provider: None

m) Transfer of data for the purpose of conducting studies

Purpose Studies are generally not conducted by us directly; therefore, transferring data to the study partner is necessary to conduct the study.

Data categories: All information specified in the relevant study protocol

Legal basis: Art. 6 para.1 p.1 lit. a and Art. 6 para.1 p.1 lit. c GDPR and § 4 para.2 p.1 DiGA‑V (consent, revocable at any time) – consent is not obtained within the application but as part of the consent process for participating in the study.

Retention period: This involves a transfer only; therefore, no data is stored as part of this processing.

Provider: None

6 Other data processors

a) hosting provider

Purpose: In order for our application to work, it must be hosted. This includes the storage and processing of all data that is not processed directly on the end device

Purpose: All server-side processing of data, as well as the storage of data, including health data

Legal basis: Art. 6 para.1 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGAV

Löschfristen 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Provider: IONOS Cloud, provided by IONOS SE, Elgendorfer Str. 57. 56410 Montabaur (Server location Germany)
By using IONOS, all processed and stored data is transferred to the IONOS data center. IONOS has a variety of security measures in place to guarantee that your data is safe there. You can find more information at https://cloud.ionos.co.uk/protection.

7 Cookies

somnio uses so-called cookies. These are text files that are stored on your device from the server. Cookies are used in somnio to store session data after logging into the program. We would like to point out that this may involve certain risks. To ensure that your session cannot be hijacked by third parties, we recommend that you log out after each use of somnio. Cookies may remain on your device even if the program crashes or closes unexpectedly. Manually deleting cookies can offer additional security.

8 Your rights

You can exercise the following rights by sending an email to support@mementor.de

You have the right to:

Information about your personal data processed by us in accordance with Art. 15 GDPR,
demand the immediate correction of incorrect or completion of your personal data stored by us in accordance with Art. 16 GDPR,
Deletion of your personal data stored by us in accordance with Art. 17 GDPR,
the restriction of the processing of your personal data in accordance with Art. 18 GDPR,
receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller in accordance with Art. 20 GDPR,
Complaint to a supervisory authority pursuant to Art. 77 GDPR,
Revocation of consent granted in accordance with Art. 7 para. 3 GDPR.

9 Privacy policy changes

We reserve the right to amend the privacy policy in the event of changes in legal requirements or updates on our part. If you are already registered at that time, you will be informed.

10 Contact information

Depending on your state of residence, you may have the right to file a complaint with your state attorney general's office if you believe we are in violation of applicable U.S. privacy laws.

Responsible body in the sense of data protection law

mementor DE GmbH
Karl-Heine-Strasse 15
04229 Leipzig
Germany
info@mementor.de

Contact details of the data protection officer

mementor DE GmbH
Datenschutz
Karl-Heine-Strasse 15
04229 Leipzig
Germany
dataprivacy@mementor.de

11 Additional Information for Residents of Certain U.S. Jurisdictions

In this section, we provide additional information for residents of California and certain US states as required by privacy laws of applicable U.S. jurisdictions ("U.S. Privacy Laws").

Retention of personal information

We retain personal information for as long as reasonably necessary for the purposes described in this Notice, such as to comply with our tax, accounting and recordkeeping obligations, to provide you services, for our own business purposes and for research, development and safety purposes. We also retain personal information for an additional time as needed to protect, defend or establish our rights, defend against potential claims and to comply with our legal obligations. From time to time, we may also identify or aggregate your personal information, retain and use it for a business purpose in compliance with CCPA and applicable U.S. Privacy Laws.

Rights regarding your personal information

Certain U.S. Privacy Laws provide rights regarding personal information. This section describes those rights and how to exercise them, if applicable.

Right to know/request access. Regarding the personal information we have collected about you in the prior twelve (12) months, and subject to certain conditions and exceptions, you may request:

the categories of personal information we collected about you
the categories of sources from which we collected your personal information
the business or commercial purposes for collecting, selling or sharing your personal information
the categories of third parties to whom we have disclosed your personal information
the specific pieces of your personal information collected.

Right to delete. Subject to certain conditions and exceptions, you may request that we delete your personal information.

Right to correct. Subject to certain conditions and exceptions, you may request that we correct inaccuracies in your personal information.

Right to opt-out of sales and sharing. You have the right to opt-out of the "sale" and "sharing" of your personal information, as those terms are defined under applicable U.S. Privacy Laws. While we do not disclose personal information to third parties in exchange for monetary compensation, our use of third-party analytics and advertising cookies may be considered "selling" and "sharing." To exercise your right to opt-out of the "sale" or "sharing" of your personal information, click the "Do Not Sell or Share My Personal Information" link at the bottom of our website. Please note that submitting an opt-out request will only opt you out of disclosures that are considered "sales" or "sharing, "but it will not opt you out of other disclosures, such as to our service providers.

You may also have the right to opt-out of "sales" and "sharing" of your personal information by using an opt-out preference signal. If we detect that your browser or device is transmitting an opt-out preference signal, such as the "global privacy control" or "GPC" signal, we will opt that browser or device out of cookies that result in a "sale" or "sharing" of your personal information. If you come to our website or use our Services from a different device or from a different browser on the same device, you will need to opt-out, or use an opt-out preference signal, for that browser and/or device as well.

Right to non-discrimination. We will not discriminate against you for exercising any of the rights described in this section.

Authorized agents. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents must provide proof of their authorization in their first communication with us. We may also require the relevant consumer to directly verify their identity and the authority of the authorized agent.

We reserve the right to reject (1) authorized agents who have not fulfilled the above requirements or (2) automated requests where we have reason to believe the security of the requestor’s personal information may be at risk.

Exercising your rights

If you are resident of an applicable jurisdiction and want to exercise your rights, you may do so by:

writing an email to support@mementor.de.

Verification. Before responding to your request, we must first verify your identity using the personal information you recently provided to us. You must provide us with your email address and/or serial and device number. We will verify your request by matching the information you provided us with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary, to process your request. If we cannot verify your identity, we may deny the request and will explain the basis for the denial.

Response timing and format. We will respond to your request as required under the applicable U.S. Privacy Law. If we deny the request, residents of certain jurisdictions may appeal our decision by sending an email to privacy@resmed.com.

California "Shine the Light" disclosure

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. However, we do not disclose personal information to third parties for their direct marketing purposes.

Consumer health privacy information

Some jurisdictions, including Washington and Nevada, have enacted privacy laws specific to certain types of consumer health data. For additional information on how ResMed handles consumer health data and your potential rights under these laws, review our Consumer Health Data Privacy Notice at https://myair.resmed.com/policies/consumer-health-data .