Privacy Policy

Of the digital health application somnio

Last updated on 14 August 2025

1 Purpose, scope and general information

The privacy policy applies to the somnio application or app. The app somnio is used for the treatment of sleep onset and sleep maintenance disorders

Internet access must be available to use the app. The use of internet-based services generally involves a certain security risk, which we minimize on our part. However, we cannot completely address all risks.

We use third-party libraries and software. These are used as sparingly as possible and are monitored regularly by us.

2 Tips on how to maximize the protection of your data

use an email address that does not reveal any personell details (e.g. pm1234@test.de instead of peter.milller@test.de)
the same applies for your self-chosen username (e.g. Superstar instead of Petra)
To be safe that no data are left in the RAM after closing the application, please restart or shut down your device. Data left in the RAM cannot be protected anymore and may be read by third parties with access to your device
Activate device protection (PIN, pattern lock, or similar)
Perform regular software updates
Keep your operating system up to date
Only use encrypted network connections; use a VPN if necessary
Only store sensitive data on trusted devices
Tips from the German Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/cyber-sicherheitsempfehlungen_node.html

Further recommendations for safe use

Never log in from a public device
Regularly delete your cookies in your browser
Avoid closing the application without logging out
Regularly check whether you really need the notifications you have set
If you notice an error or something seems strange, please contact our support team immediately

3 Collection of general Information

What? To display the application correctly, to connect to the application and to detect and defend against attacks

What information? IP address, Information about the device used

Legal basis Article 6(1)(f) GDPR, the legitimate interest lies in the protection of our application, as well as in the correct presentation of the app.

You can object to this processing. To do so, please write to dataprivacy@mementor.de.

Deletion period IP addresses are stored for 10 days, Data of the devices used immediately after fulfilling the purpose

Service provider no

4 Prescription transfer service (optional)

What? We take care of submitting the prescription to your health insurance company. You upload your prescription, we send it electronically (if possible) or by post to your health insurance company, you will receive the activation code.

At the same time, an account will be created (see next point) so that you retain full control over your data.

What information? address details, email address, telephone number (optional), health insurance company, picture of the prescription with insurance number and name

Legal basis Article 9(2), first sentence (a) GDPR (consent can be revoked at any time)

Deletion period immediately after redeeming the license code through the account or after a maximum of 90 days

Service provider Letter delivery: LetterXpress, provided by A&O Fischer GmbH & Co. KG, Maybachstraße 9, 21423 Winsen (Luhe), Germany

5 Sleep training

a) Account creation

What? Create an account for the application

What information? email address, passkey (How do Passkeys work? ; German) or email address, password

Legal basis Article 6(1), first sentence (a) GDPR (consent can be revoked at any time)

Deletion period 30 days after creation (if no license code is used)

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

The consequence of the transfer is the storage of the email address on RDS (service of Amazon Web Services) in Frankfurt (Main), Germany

The consequence of the transfer is that the email address is stored on RDS (service from Amazon Web Services, Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109. United States) in Frankfurt (Main), Germany - despite a contractual assurance from Amazon Web Services that all data remains in Germany, a transfer of the email address and passkey to a third country cannot be completely ruled out. However, logging into our application is only possible with the additional key on your device. The passkey alone is useless, so only your email address would be affected in the event of a data leak.

b) Code redemption

What? To start sleep training and to bill the service to your health insurance company or private health insurance: We send the entered code to an interface of the health insurance company, or verify it with your private health insurance company to check that the code is genuine and up to date. If you have purchased somnio yourself, we check whether the code was issued by us.

What information? activation code, email address, passkey (How do Passkeys work? ; German) or only activation code and registration date if an account has already been created

Legal basis Article 6(1), first sentence (a) GDPR, Article 9(2), first sentence (a) GDPR (consent can be revoked at any time)

Deletion period 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

c) Log in

What? You must log in before every time before using the application.

What information? email address, passkey (How do Passkeys work? ; German) or health ID or email address, password

Legal basis Article 6(1), first sentence (a) GDPR, Article 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applications Ordinance)(consent can be revoked at any time)

Deletion period no storage

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transmitted for processing and will then be deleted immediately.

d) Sleep training with somnio

What? Independent progress monitoring, personalization of training

What information? self-chosen username, gender, age, health data on sleep times, sleep behavior, information on personal medical conditions, consumption of relevant substances such as alcohol and caffeine, subjective perception of performance and mood, prior knowledge, progress in the application

Legal basis Article 6(1), first sentence (a) GDPR, Article 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Service provider no

e) Activity trackers (optional)

What? Transfer of fitness tracker measurements to the application

What information? health data on sleep times and sleep behavior

Legal basis Article 6(1), first sentence (a) GDPR, Article 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Service provider fitness tracker connection: Thryve by mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

f) E-mails

What? Sending reminder emails, registration emails, system emails, communication in special cases (security corrective measures)

What information? email address, self-chosen username

Legal basis Article 6(1), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applilcations Ordinance) (consent can be revoked at any time)

Deletion period data will only be stored for as long as it is necessary for processing

Service provider provider for sending emails: Sendinblue of the company Newsletter2Go GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

g) Medical report (optional)

What? Create, export and send the medical report so that the healthcare professional can check your current status

What information? Aggregated therapy data: module progress, course of clinically relevant parameters, self-selected user name

In case of transmission of the access code by email: your email address, the email address of your practice - we always create a secure link that you can remove at any time, the email is pre-formulated and must be sent by you

If you export the medical report, you are responsible for the security of this report, so please share it only with authorized people and delete it if it is no longer needed.

Legal basis Article 6(1), first sentence (a) GDPR, Article 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (implied consent, revocable at any time)

Deletion period At the latest with the deletion of your account, 30 days after license expiration

Service provider no

h) Writing in the Electronic patient record (optional)

What? Export of usage data to the electronic patient record, either manually or regularly automated - where available

What information? Usage data: sleep behavior, clinically relevant parameters

Legal basis Article 6(1), first sentence (a) GDPR, Article 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time) - You must actively confirm the export

Deletion period no storage of data by mementor

Service provider Access to the ePA service: MEDKONNEKT GmbH, Schleißheimer Straße 91A, 85748 Garching b. München, Germany. Data will only be transferred for processing and then deleted immediately.
provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transferred for processing and then deleted immediately.

i) Contacting support (optional)

What? If you would like to contact us directly and need human support for technical problems or have questions about program content

What information? email address, Information about the device used, personal health data if required

Legal basis Article 6(1), first sentence (a) GDPR, Article 6(1), first sentence (c) GDPR and Section 4 (2), first sentence DiGAV (implied consent, can be revoked at any time) - You write to us

Deletion period Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Service provider no

j) Make an appointment for a support call (optional)

What? If you would like to contact us directly and need human support for technical problems or have questions about program content and if you want to do this by phone, you can book a support call

What information? name, email address, telephone number

Legal basis Article 6(1), first sentence (a) GDPR and Section 4(2), first sentence DiGAV ((implied consent, can be revoked at any time) - You book an appointment with us

Deletion period Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Service provider appointment booking tool: Calenso. provider is Braincept AG, Neuenkirchstrasse 19, 6203 Sempach-Station, Switzerland, Europe (website: Calenso | secure & customizable online scheduling )
The data is transmitted to Calenso and stored there until the support call.

k) Anonymization of data to improve the service and to demonstrate the ongoing suitability of the application

What? We anonymize or de-identify information according to applicable privacy legislation for fulfillment of regulatory requirements in post market surveillance, analytics, statistical purposes and product improvement

Legal basis Article 6(1), first sentence (a) and (c) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Deletion period no storage of personal data, Data for the evaluation of modules in general are only stored anonymously, unless you explicitly want to be contacted afterwards, in which case the information will be used for a support request (see point i).

Service provider no

l) Collection of data for continuous improvement

What? As we are constantly striving to improve our applications, we ask for feedback on modules or other content within the application.

What information? Free text entries, ratings

Legal basis Article 6(1)(a) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applications Ordinance) (consent, revocable at any time) – consent is usually obtained in the module flow

Deletion periods Only data that has a further influence on the therapy is stored in a personalised form; this data is anonymised or deleted at the latest when your account is deleted, i.e. 30 days after the licence expires. All other data is recorded without personal reference.

Service providers None

m) Transfer of data for the purpose of conducting studies

What? Studies are not usually conducted by us, so it is necessary to transfer data to the study partner in order to conduct studies.

What information? All information specified in the relevant study protocol.

Legal basis Article 6(1)(a), Article 6(1)(c) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applications Ordinance) (consent, revocable at any time) – consent is not obtained within the application, but as part of the consent to participate in the study.

Deletion periods This is only a transfer, therefore no storage takes place within the scope of this processing

Service providers None

6 Other data processors

a) hosting provider

What? In order for our application to work, it must be hosted. This includes the storage and processing of all data that is not processed directly on the end device

What information? All server-side processing of data, as well as the storage of data, including health data

Legal basis Article 6(1), first sentence (a) GDPR and section 4(2), first sentence DiGAV

Service provider IONOS Cloud, provided by IONOS SE, Elgendorfer Str. 57. 56410 Montabaur (Server location Germany)
By using IONOS, all processed and stored data is transferred to the IONOS data center. IONOS has a variety of security measures in place to guarantee that your data is safe there. You can find more information at Data Protection and Cloud Security | IONOS.

7 Cookies

The application uses cookies – small text files that are stored on your device by the server. They are used to store session data after you log in to the program.

Please note that the use of cookies may involve certain security risks. To prevent your session from being taken over by unauthorized third parties, we recommend that you log out properly after each use.

Even after the program crashes or is unexpectedly terminated, cookies may remain on your device.
Manually deleting cookies can provide additional security.

8 Your rights

a) General rights

You can exercise the following rights by sending an email to support@mementor.de

You have the right to:

Information about your personal data processed by us in accordance with Article 15 GDPR,
demand the immediate correction of incorrect or completion of your personal data stored by us in accordance with Article 16 GDPR,
Deletion of your personal data stored by us in accordance with Article 17 GDPR,
the restriction of the processing of your personal data in accordance with Article 18 GDPR,
receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller in accordance with Article 20 GDPR,
Complaint to a supervisory authority pursuant to Article 77 GDPR,
Revocation of consent granted in accordance with Article 7(3) GDPR.

9 Privacy policy changes

We reserve the right to amend the privacy policy in the event of changes in legal requirements or updates on our part. If you are already registered at that time, you will be informed.

10 Contact information

Responsible body in the sense of data protection law
mementor DE GmbH
Karl-Heine-Strasse 15
04229 Leipzig
Germany
info@mementor.de

Contact details of the data protection officer
mementor DE GmbH
Datenschutz
Karl-Heine-Strasse 15
04229 Leipzig
Germany
dataprivacy@mementor.de