Privacy Policy

Of the digital health application somnio

Last updated on 08.09.2020

1. Contact information

Responsible body in the sense of data protection law

mementor DE GmbH
Jahnallee 14
04109 Leipzig

Contact details of the data protection officer

Paul Schmude
Jahnallee 14
04109 Leipzig

2. Purpose and scope

This privacy policy provides users with information about the nature, scope and purpose of the collection and use of their data by the responsible provider.

The privacy policy is valid for the app somnio. The app somnio is used for the treatment of sleep disorders and guides through a variety of cognitive behavioral exercises by means of a digital avatar. A sleep journal is used to track progress and guide therapy. For this purpose, health information within the meaning of Art. 9 DSGVO is used; this is explained in more detail in point 4.b).

3. Collection of general information

Each time you use somnio, a connection is established with the somnio server. Information is automatically collected in the process.

The IP address and information about the end device you are using are recorded. Without this data, it would not be technically possible to use somnio. In this respect, the collection of the data is mandatory. In addition, we use the anonymized information for statistical purposes. They help us to optimize the offer and the technology. We also reserve the right to subsequently check the log files if we suspect illegal use of our offer. The legal basis for the temporary storage of the data or the log files is Art. 6 para. 1 lit. f DSGVO, whereby the legitimate interest follows from the aforementioned purposes.

Deletion of the data, in particular the log files, takes place at regular intervals.

4. Sleep training

Personal data is processed in the course of sleep training. Personal data is any information by which a person can be clearly identified. It is therefore data that can be traced back to a person.

All data is stored and processed on servers in Germany by European providers. The operator of our servers is certified according to ISO 27001, and corresponding order data processing contracts are in place. Internet access must be available in order to use the app. The use of online based services is generally associated with a certain security risk, which we minimize from our side, but we can not address all risks completely.

a) Registration

If registration takes place via the website or the health application somnio, the following personal data will be processed by mementor as part of the registration and use of the health application somnio: e-mail address and license code.

If you are a member of Techniker Krankenkasse and access the somnio website via the member area, it is not necessary to enter a license code. However, mementor will know that you are a member of Techniker Krankenkasse.

If, on the other hand, you are a member of Generali Deutschland Krankenversicherung AG and access the somnio website via the member area, it is not necessary for you to enter any data. In this case, your e-mail address will be provided to mementor by Generali.

If you are a member of CSS Versicherung, you can also access the somnio site via the member area. In this case, you must provide your insurance number in addition to your e-mail address when registering. You must also confirm that you have a supplementary insurance that covers the costs of using somnio.

Registration allows access to services and content that are only available to registered users. In addition, we use the DiGA code for billing the health insurance company. No data other than the DiGA code is transmitted. If necessary, registered users have the option to change or delete the data provided during registration in their profile at any time.

In this case, the processing of your data is based on your consent pursuant to Art. 6 para.1 p. 1 lit. a DSGVO, § 4 para. 2 p. 1 DiGaV. You can revoke the consent at any time without giving reasons. The processing of the DiGA code for billing purposes is based on Art. 6. para. 1 p. 1 lit. b DSGVO.

The deletion of the data takes place 12 months after the end of the usage period to give you the opportunity to continue sleep training at a later time even after the end of this. Deletion also takes place after 12 months of inactivity, in which case you will receive a notification by e-mail 30 days before deletion.

b) Sleep training with somnio

In order to personalize sleep training and thus achieve the highest possible success rate, further data is collected in sleep training with the somnio health application. This includes:

  • a self-selected user name
  • gender
  • age

When using the app, it requests health data on

  • sleep times
  • consumption of relevant substances such as alcohol and caffeine
  • sleep behavior
  • your subjective assessment about your performance and mood

The given answers are stored and evaluated in order to adapt the training to the users individual problems and needs. The data collected are special categories of personal data, specifically health data, as defined by Art. 9 DSGVO and § 22 BDSG. Health data is all data relating to the physical and mental state of health of a natural person. This data is stored on a server in Germany. The servers are not operated by us, but by a European provider. A commissioned data processing agreement and a list of technical and organizational measures are in place with this provider. The contractor is certified according to ISO 27001. Only our administrators, our user support staff and you have access to the data.

The stored data is used to calculate score values, create evaluations and monitor training success.

This data is only collected and used by mementor if this is expressly permitted by law or if the user consents to the collection, processing, use and disclosure of the data.

The legal basis for processing the data or health data is your express consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO and Art. 9 para. 2 p. 1 lit. a DSGVO. You can withdraw your consent to processing at any time without giving reasons. Withdrawal of consent results in blocking the processing of your data, and in deletion after 30 days. Within this period, you may give your consent again and continue to use the program without losing your progress.

The deletion of the data takes place 12 months after the end of the period of use, in order to give you the opportunity to continue the sleep training at a later time, even after the end of this period. Deletion also takes place after 12 months of inactivity, in which case you will receive a notification by e-mail 30 days before deletion.

c) Sleep trackers

The health application somnio offered by mementor can optionally be connected to a fitness tracker from Fitbit (connection via Fitbit API). Information about bedtime, time of falling asleep, sleep duration, number of nocturnal waking phases and duration, time of waking up and time of getting up are transmitted from the Fitbit API to somnio and transferred to the sleep journal according to lit. b.

A connection with the fitness tracker and the retrieval of the data is only possible after you have given your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO. You have the option to revoke this consent at any time and continue using somnio without a fitness tracker.

The deletion of the data takes place according to lit. a 12 months after the end of the usage period.

5. Use of Anonymized Data to Improve the Service

The somnio health application is based on current scientific treatment methods and takes into account the latest knowledge from research. To ensure continuous improvement of the sleep training, mementor reserves the right to anonymize and subsequently evaluate your data. This allows the training and its effectiveness to be optimized.

6. Contact and Support

If you contact mementor by e-mail or form, the information you provide (in particular your e-mail address) will be stored in order to answer your inquiry and to be able to ask possible follow-up questions.

In this case, the processing of your data is based on your (implied) consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO.

7. Calenso

You have the possibility to book support appointments via telephone with us. In order to organize and schedule these appointments we use Calenso. Provider is Braincept AG, Neuenkirchstrasse 19, 6203 Sempach-Station, Switzerland, Europe (website:

We use Calenso to make appointments bookable online. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO, the legitimate interest lies in the structurized organization of the appointments.

When booking an appointment, name, e-mail address and the telephone number are required. The information sent to us remains with us until you request us to delete it or until the purpose for which the data was stored no longer applies. Mandatory legal provisions – in particular retention periods – remain unaffected. If you prefer not to make appointments with us via Calenso, you can alternatively contact us by e-mail or telephone.

In addition, we have concluded a Data Processing Agreement (DPA) with Calenso. This ensures that Calenso will only use the user data in accordance with EU data protection standards for the sole purpose of processing the requests and will not pass them on to third parties.

For more information about Calenso and the data collected, please consult Calenso’s privacy policy by clicking on the link below:

8. Cookies

somnio uses so-called cookies. These are text files that are stored on your device from the server. Cookies are used in somnio to store session data after logging into the program. We would like to point out that this may involve certain risks. To ensure that your session cannot be hijacked by third parties, we recommend that you log out after each use of somnio.

9. Your rights

In the following, you will find information on which data subject rights the applicable data protection law grants you vis-à-vis the controller with regard to the processing of your personal data:

(a) The right to request information about your personal data processed by us pursuant to Article 15 of the GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, and the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.

b) The right, in accordance with Art. 16 DSGVO, to demand the immediate correction of incorrect or completion of your personal data stored by us.

c) The right to request the erasure of your personal data stored by us in accordance with Art. 17 DSGVO, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.

d) The right to request the restriction of the processing of your personal data in accordance with Art. 18 DSGVO, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 DSGVO.

e) The right, in accordance with Art. 20 DSGVO, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller. In the profile, you can export all data stored about you in a machine-readable format. You also have the option to give a clinical professional (doctor / psychotherapist) access to an evaluation report. The report includes data from your sleep journal as well as data on progress in sleep training. The access cannot be triggered by the clinical specialist himself, but is exclusively initiated by an action of you from the profile of the application. Any access is only possible through an explicit authorization from you.

f) The right to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR. As a rule, you can contact the supervisory authority of the federal state of our registered office stated above or, if applicable, that of your usual place of residence or workplace for this purpose.

g) Right to revoke consent given in accordance with Art. 7 (3) DSGVO: You have the right to revoke consent to the processing of data once given at any time with effect for the future. In the event of revocation, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

h) If your personal data is processed by us on the basis of legitimate interests pursuant to Article 6 (1) sentence 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Article 21 DSGVO, insofar as this is done for reasons arising from your particular situation. Insofar as the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement to specify a particular situation.

If you wish to exercise your right of revocation or objection, simply send an e-mail to

10. Privacy policy changes

In order to ensure that our privacy policy always complies with the current legal requirements, mementor reserves the right to make changes at any time. This also applies in the event that the data protection declaration has to be adapted due to new or revised services, for example new services.