Privacy Policy
Of the digital health application somnio
Last updated on 10/03/2023
1. Contact information
Responsible body in the sense of data protection law
mementor DE GmbH
Karl-Heine-Straße 15
04229 Leipzig
Germany
info@mementor.de
Contact details of the data protection officer
Paul Schmude
Karl-Heine-Straße 15
04229 Leipzig
Germany
paul.schmude@mementor.de
2. Purpose and scope
This privacy policy provides users with information about the nature, scope and purpose of the collection and use of their data by the responsible provider.
The privacy policy is valid for the app somnio. The app somnio is used for the treatment of sleep disorders and guides through a variety of cognitive behavioral exercises by means of a digital avatar. A sleep journal is used to track progress and guide therapy. For this purpose, health information within the meaning of Art. 9 GDPR is used; this is explained in more detail in point 4.b).
3. Collection of general information
Each time you use somnio, a connection is established with the somnio server. Information is automatically collected in the process.
The IP address and information about the end device you are using are recorded. Without this data, it would not be technically possible to use somnio. In this respect, the collection of the data is mandatory. In addition, we use the anonymized information for statistical purposes. They help us to optimize the offer and the technology. We also reserve the right to subsequently check the log files if we suspect illegal use of our offer. The legal basis for the temporary storage of the data or the log files is Art. 6 para. 1 lit. f GDPR, whereby the legitimate interest follows from the aforementioned purposes.
Deletion of the data, in particular the log files, takes place at regular intervals.
4. Prescription transfer service
You can assign us to transfer your prescription to your health insurance company. In order to do this, please upload your prescription and register at our prescription transfer service, see point 5. a) for registration. The following data will be collected.
name, first name
e-mail address
postal address
telephone number (optional)
health insurance company
picture of the prescription with:
prescription number
name
date of birth
doctor’s number
stamp of the doctor with name, address
date of prescription
After finishing your registration and uploading the prescription, we will research the address of your health insurance company. We will subsequently write a letter asking them to fill your prescription and issue your DiGA code. This letter will be sent to the LetterXpress service provided by A&O Fischer GmbH & Co. KG, Maybachstraße 9, 21423 Winsen (Luhe), for dispatch. You will receive a reply directly from your health insurance company.
By transferring your prescription you will simultaneously be registered. This is to ensure that we can verify your identity and that you can make use of your rights if necessary.
All submitted data, except for your email address, will only be stored until the DiGA code has been redeemed, or until 30 days have passed since registration. The deletion of the registration data is carried out according to the specifications in point 5. a).
In this case, the processing of your data is based on your consent pursuant to Art. 6 para.1 p. 1 lit. a GDPR and Art. 9 para. 2 p. 1 lit. a GDPR. You can revoke your consent at any time without giving reasons.
5. Sleep training
Personal data is processed in the course of sleep training. Personal data is any information by which a person can be clearly identified. It is therefore data that can be traced back to a person.
All data is stored and processed on servers in Germany by European providers. The operator of our servers is certified according to ISO 27001, and corresponding order data processing contracts are in place. Internet access must be available in order to use the app. The use of online based services is generally associated with a certain security risk, which we minimize from our side, but we can not address all risks completely.
a) Login
Even if you have not yet received a license code, you can already log into your account. For logging in, please go to the website 
e-mail address
Your data will be processed based on your consent to our terms of use, our privacy policy and to the exclusion criteria.
The processing of your data is thus based on your consent pursuant to Art. 6 para.1 p. 1 lit. a GDPR. You can revoke your consent at any time without giving reasons.
The deletion of your data will take place automatically after 30 days of inactivity. You will be notified about the upcoming deletion of your data before the end of this deadline.
b) Registration
If registration takes place via the website http://www.somn.io/en/ or the health application somnio, the following personal data will be processed by mementor as part of the registration and use of the health application somnio: e-mail address and license code.
If you are a member of Techniker Krankenkasse and access the somnio website via the member area, it is not necessary to enter a license code. However, mementor will know that you are a member of Techniker Krankenkasse.
If, on the other hand, you are a member of Generali Deutschland Krankenversicherung AG and access the somnio website via their member area, it is not necessary for you to enter any data. In this case, your e-mail address will be provided to mementor by Generali.
If you are a member of CSS Versicherung, you can also access the somnio site via the member area. In this case, you must provide your insurance number in addition to your e-mail address when registering. You must also confirm that you have a supplementary insurance that covers the costs of using somnio.
Registration allows access to services and content that are only available to registered users. In addition, we use the DiGA code for billing the health insurance company. No data other than the DiGA code is transmitted. If necessary, registered users have the option to change or delete the data provided during registration in their profile at any time.
In this case, the processing of your data is based on your consent pursuant to Art. 6 para.1 p. 1 lit. a GDPR, Art. 9 para. 2 p. 1 lit. a GDPR and § 4 para. 2 p. 1 DiGaV. You can revoke the consent at any time without giving reasons. The processing of the DiGA code for billing purposes is based on Art. 6. para. 1 p. 1 lit. b GDPR.
The deletion of the data takes place 30 days after the end of the usage period. This is to ensure you can still use your existing account in case you get a follow-up prescription and don’t have to create a new one. You will be notified twice about the upcoming deletion of your data: 14 days and 7 days before the expiration date. On your explicit request, we can also save your data from deletion beyond this 30-day deadline.
c) Sleep training with somnio
In order to personalize sleep training and thus achieve the highest possible success rate, further data is collected in sleep training with the somnio health application. This includes:
a self-selected user name
gender
age
When using the app, it requests health data on
sleep times
consumption of relevant substances such as alcohol and caffeine
sleep behavior
your subjective assessment about your performance and mood
The given answers are stored and evaluated in order to adapt the training to the users individual problems and needs. The data collected are special categories of personal data, specifically health data, as defined by Art. 9 GDPR and § 22 BDSG. Health data is all data relating to the physical and mental state of health of a natural person. This data is stored on a server in Germany. The servers are not operated by us, but by a European provider. A commissioned data processing agreement and a list of technical and organizational measures are in place with this provider. The contractor is certified according to ISO 27001. Only our administrators, our user support staff and you have access to the data.
The stored data is used to calculate score values, create evaluations and monitor training success.
This data is only collected and used by mementor if this is expressly permitted by law or if the user consents to the collection, processing, use and disclosure of the data.
The legal basis for processing the data or health data is your express consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR and Art. 9 para. 2 p. 1 lit. a GDPR. You can withdraw your consent to processing at any time without giving reasons. Withdrawal of consent results in blocking the processing of your data, and in deletion after 30 days. Within this period, you may give your consent again and continue to use the program without losing your progress.
The deletion of the data takes place 30 days after the end of the usage period. This is to make sure you can still use your existing account in case you get a follow-up prescription and don’t have to create a new one. You will be notified two times about the upcoming deletion of your data: 14 days and 7 days before the expiration date. On your explicit request, we can also save your data from deletion beyond this 30-day deadline.
d) Sleep trackers
The health application somnio offered by mementor can optionally be connected to a fitness tracker. The connection is done via the API of the corresponding manufacturer. Information about
bedtime,
time of falling asleep,
sleep duration,
number of nocturnal waking phases and duration,
time of waking up and
time of getting up
are transmitted from the fitness tracker to somnio and transferred to the sleep journal according to lit. b.
A connection with the fitness tracker and the retrieval of the data is only possible after you have given your consent according to Art. 6 para. 1 p. 1 lit. a GDPR. You have the option to revoke this consent at any time and continue using somnio without a fitness tracker.
The deletion of the data takes place 30 days after the end of the usage period. This is to make sure you can still use your existing account in case you get a follow-up prescription and don’t have to create a new one. You will be notified two times about the upcoming deletion of your data: 14 days and 7 days before the expiration date. On your explicit request, we can also save your data from deletion beyond this 30-day deadline.
e) E-mails
We use the Sendinblue service of the company Newsletter2Go GmbH, Köpenicker Straße 126, 10179 Berlin to send our e-mails. This includes the e-mail for registration, system e-mails, reminder e-mails and newsletters. Therefor the following data will be processed:
your e-mail address,
your self-selected user name,
the content of the message and
information on whether the e-mail has been read
A contract for commissioned data processing has been concluded with the service provider. The service provider uses subcontractors within the EU, so it is possible that in the emails information is loaded from countries outside Germany.
We use pixels in our emails to track whether an email has reached its destination and has been read. This is necessary in order to know whether sending our e-mails is functioning correctly
Your data will be processed based on your consent according to Art. 6 para. 1. p. 1 lit. a GDPR in conjunction with Art. 9 para. 2. lit. a. It is also possible to do in the training without receiving any e-mails. At any time, you can select in your profile settings whether you want to receive reminder e-mails or a newsletter.
The processed data will be stored only as long as it is necessary for sending the e-mails.
6. Use of Anonymized Data to Improve the Service
The somnio health application is based on current scientific treatment methods and takes into account the latest knowledge from research. To ensure continuous improvement of the sleep training, mementor reserves the right to anonymize and subsequently evaluate your data. This allows the training and its effectiveness to be optimized.
7. Contact and Support
If you contact mementor by e-mail or form, the information you provide (in particular your e-mail address) will be stored in order to answer your inquiry and to be able to ask possible follow-up questions.
In this case, the processing of your data is based on your (implied) consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR.
8. Calenso
You have the possibility to book support appointments via telephone with us. In order to organize and schedule these appointments we use Calenso. Provider is Braincept AG, Neuenkirchstrasse 19, 6203 Sempach-Station, Switzerland, Europe (website: https://www.calenso.com).
We use Calenso to make appointments bookable online. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR, the legitimate interest lies in the structurized organization of the appointments.
When booking an appointment, name, e-mail address and the telephone number are required. The information sent to us remains with us until you request us to delete it or until the purpose for which the data was stored no longer applies. Mandatory legal provisions – in particular retention periods – remain unaffected. If you prefer not to make appointments with us via Calenso, you can alternatively contact us by e-mail or telephone.
In addition, we have concluded a Data Processing Agreement (DPA) with Calenso. This ensures that Calenso will only use the user data in accordance with EU data protection standards for the sole purpose of processing the requests and will not pass them on to third parties.
For more information about Calenso and the data collected, please consult Calenso’s privacy policy by clicking on the link below: https://calenso.com/datenschutz/.
9. Cookies
somnio uses so-called cookies. These are text files that are stored on your device from the server. Cookies are used in somnio to store session data after logging into the program. We would like to point out that this may involve certain risks. To ensure that your session cannot be hijacked by third parties, we recommend that you log out after each use of somnio.
10. Your rights
In the following, you will find information on which data subject rights the applicable data protection law grants you vis-à-vis the controller with regard to the processing of your personal data:
a) The right to request information about your personal data processed by us pursuant to Article 15 of the GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, and the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
b) The right, in accordance with Art. 16 GDPR, to demand the immediate correction of incorrect or completion of your personal data stored by us.
c) The right to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.
d) The right to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR.
e) The right, in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller. In the profile, you can export all data stored about you in a machine-readable format. You also have the option to give a clinical professional (doctor / psychotherapist) access to an evaluation report. The report includes data from your sleep journal as well as data on progress in sleep training. The access cannot be triggered by the clinical specialist himself, but is exclusively initiated by an action of you from the profile of the application. Any access is only possible through an explicit authorization from you.
f) The right to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR. As a rule, you can contact the supervisory authority of the federal state of our registered office stated above or, if applicable, that of your usual place of residence or workplace for this purpose.
g) Right to revoke consent given in accordance with Art. 7 (3) GDPR: You have the right to revoke consent to the processing of data once given at any time with effect for the future. In the event of revocation, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
h) If your personal data is processed by us on the basis of legitimate interests pursuant to Article 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Article 21 GDPR, insofar as this is done for reasons arising from your particular situation. Insofar as the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement to specify a particular situation.
If you wish to exercise your right of revocation or objection, simply send an e-mail to support@mementor.de.
11. Privacy policy changes
In order to ensure that our privacy policy always complies with the current legal requirements, mementor reserves the right to make changes at any time. This also applies in the event that the data protection declaration has to be adapted due to new or revised services, for example new services.