Ada Health GmbH Privacy Policy

Last modified: 26 September 2024

PLEASE READ THIS POLICY CAREFULLY BEFORE USING ADA HEALTH GMBH SERVICES.

You must be 16 years or older to use our Services.

Protecting your data, privacy and personal data (as defined under Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”)) is very important to Ada Health GmbH (“us”, “our” or “we”). It is vitally important to us that our customers (the “users”) feel secure when using our products and services.

This privacy policy (the “Privacy Policy”), together with our Terms & Conditions at ada.com/terms-and-conditions, our Cookie Policy at ada.com/cookie-policy and any other documents referred therein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read this Privacy Policy carefully to understand the types of data we collect from you, how we use it, the circumstances under which we will share it with third parties, and your rights in relation to your personal data.

Our Website may contain links to third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.

Ada offers its symptom assessment and other health related features both in its Ada Health App (the “App”) or embedded in a partner platform (“Ada Assess”). The App as well as Ada Assess are qualified and marketed registered as Class IIa medical devices under Regulation (EU) 2017/745 on medical devices (“MDR”) within the European Union. However, the App and/or Ada Assess might not be regulated as medical devices in the place where you use it. In addition, Ada operates the website ada.com and any additional features it might include (the “Website”).

This Privacy Policy describes our data processing when using the App, Ada Assess, the Website or any service and/or product we may provide you (together with the “Services”). Where certain processing activities relate only to a specific product this will be clearly indicated.

You are not under any obligation to provide your personal information to Ada. Please note however, that most functionalities rely on you information about yourself and specifically your health. Without providing this information you might not be able to use those functionalities at all or to a limited extent. In some cases, the accuracy of the results might be impacted. This will be indicated in the description of the individual processing activities in Section 3 below.

If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.

1. Who we are

This Privacy Policy applies to any personal data processed by Ada Health GmbH (HRB 189710), Neue Grünstraße 17, 10179 Berlin, Germany being the data controller (as defined under Article 4(7) GDPR) of all processing activities in connection with the Services.

Questions, comments and requests regarding this Privacy Policy are welcome and should be addressed through our contact form here. Our data protection officer can be contacted at [email protected].

2. General overview of the data processing in connection with the Services

Before starting using our Services, you should read our Privacy Policy carefully. In order to use our Symptom Assessment and other health related features, you have to consent to Ada analyzing the personal health data you voluntarily share in order to be provided with an assessment and health advice, for which you can find an information summary here.

This section 2 aims at giving you a quick high-level overview of the data processing activities in connection with the Services we provide you.

If you wish to read in detail all the data processing activities we undertake, we advise you to read the following section 3 relating to each specific data processing activity, and sections 4 to 9 that relate to:

  • our cookies & tracking policy (section 4),
  • where we store your personal data (section 5),
  • when we may disclose your personal data (section 6),
  • our retention policy (section 7),
  • your data subjects’ rights (section 8),
  • your specific rights if you are a California resident (US) (section 9), and
  • our changes policy (section 10).

Information that you provide to us: we may collect and process personal data that you will be asked to provide when you:

  • fill in forms on our Website, apply for a job offer or otherwise correspond with us by any available means;
  • register to use our Services, subscribe to our newsletter, receive promotional emails or any other marketing materials;
  • use our Services;
  • report a problem with our Services; or
  • complete any surveys or provide any feedback that we may use for research and improvement purposes (although it is optional, and you do not have to respond to these if you do not want to).

The information that we may ask you to provide includes, but is not limited to, your name, gender, date of birth, email address, phone number, symptoms of your illness, potential causes of your illness symptoms, health insurance (optional), medical history, any allergies you have, or further information required to verify your identity.

Information we collect about you: although we will not use it to identify you, we may collect the following data during each of your visits and use of our Services:

  • Usage data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, and mobile network information; details of your visits, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our Services (including date and time); details of conditions and symptoms searched;
  • Analytics data: your IP address, operating system and browser type; information about which app store you downloaded our App from; length of visits to certain pages, and page interaction information (such as scrolling, finger gestures, clicks, and mouse-overs)

If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.

3. Which personal data we may collect and process, why and for how long

3.1 When you access our services

  • Types of data: IP address of the requesting device, date and time of access, country, name and URL of the requested file, website from which access is obtained (“Referrer URL”), browser used and, where applicable, your device’s operating system and the identity of your access provider, traffic routing data, system configuration information, and other information about traffic to and from Customers’ websites, devices, applications, and/or networks
  • Purpose of processing: We use the above data to provide you with access to our Services, to ensure that the Services can establish an internet connection smoothly and are easy to use. We also use this data to analyze the system security and stability, as well as for additional administrative purposes. For purposes of system security, we engage CloudFlare Inc., 101 Townsend St, San Francisco, CA 94107 United States as our data processor. When using WAPR your IP address as well as the other data mentioned above might be processed outside the European Union, especially in the United States. We have entered into a Data Protection Agreement including the Standard Contractual Clauses with Cloudflare.
  • Use justification: Legitimate interest (Article 6(1)(f)GDPR). Our legitimate interest is based on the data collection purposes listed under “Purpose of processing”. We do not use the data collected for the purpose of identifying you. You are not obliged to provide the above personal data; however, you will not be able to access the Website if such personal data are not provided.
  • Storage duration: Your data is removed after 15 days, unless any security-relevant event occurs (e.g., a DDoS attack). Your data will be stored by Cloudflare for 6 months. If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and clarified in full.

3.2a When you register a user account or create a new profile

  • Types of data: Email address and password, account ID, device ID, profile name, gender, date of birth, health insurance (optional), general data about your health (optional) such as smoking, increased blood pressure, diabetes, and pregnancy status, date, time and location of registration.
  • Purpose of processing: We use the above data to provide you with a user account and access to our App. We use the general health data for the basic analysis. It is not possible to access and use our App if the (non-optional) data are not provided.
  • Use justification: Contract performance (Article 6(1)(b)GDPR / Consent (Article9(2)(a) GDPR) for the processing of your health data.
  • Storage duration: We process your data for the purposes specified above until you request deletion of your account or when you delete your account. If your account is inactive for more than 24 months, we will contact you to check whether you wish to continue using our App. If you then leave your user account unused for another 3 months, we will delete your account. In either case, we will delete your account within 1 month and delete or irreversibly anonymize your data (such that it cannot be associated with a specific natural person). We will further retain your data (see section 7 for more details), e.g., for the purposes of establishing, exercising or defending against legal claims and to comply with high quality and safety standards, in particular our Post-Market Surveillance obligations but we will not process the data for any other purposes.

3.2b When you use Ada Assess

  • Types of data: account ID, general data about you and your health (optional) such as name, date of birth, biological sex, pregnancy status, high blood pressure, diabetes or smoking, technical identifiers, data required to facilitate a Single-Sign-On (where applicable) and other data the Partner has already collected about you and that Ada would have to collect again, such as your age.
  • Purpose of processing: We use the above data to enable the use of Ada Assess in the infrastructure of our business partners (website, app or other platform) and facilitate the exchange of data between Ada and the business partner. If you use Ada Assess, we will automatically create an account and a medical profile. Depending on the specific technical setup we might not be able to connect this account directly to you. Some Ada Assess integrations include the option to share your symptom assessments or connected information with our business partner to enable them to provide you further services based on your assessment. We will only share your data, if you have given us specific consent to do so. We may also ask you for consent to disclose pseudonymized usage data (not including any personal health data) to the business partner.
    Please note that if you access Ada Assess using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This This restriction does not apply to the personal information you provide to us separately.
  • Use justification: Contract performance (Article 6(1)(b)GDPR / Consent (Article9(2)(a) GDPR) for the processing and sharing of your health data as well a legitimate interest (Article 6(1)(f) GDPR) to provide you with an easy-to-use integration of Ada Assess.
  • Storage duration: Where the business partner provides Ada Assess to its registered users we store your data for as long as your user account exists or till you specifically request deletion of your assessment. When you use Ada Assess without an account we store your assessment for the duration of existing retention requirements of medical safety under applicable medical device regulations.

3.3 Health profile

  • Types of data: Body height and weight, any medication you are taking (permanently or not) and any allergies you may have.
  • Purpose of processing: This feature allows you to provide additional health information about you and create a comprehensive health profile to manage your health data in our App. When you update information such as height and weight in your profile, we will keep the previous entries to allow you to track its development. However, we will currently not process this to determine the symptom assessment results in as detailed in section 3.5.
  • Use justification: Consent (Article 9(2)(a) GDPR). The use of this feature is voluntary and not a requirement to use the symptom assessment. You may revoke/withdraw your consent at any time by deleting the data from the health profile.
  • Storage duration: Your data will be stored until you delete it, or your account is terminated.

3.4 Third Party Login

  • Types of data: Third party ID (e.g., Facebook-/Apple-/Google-ID)email address (if you authorize Facebook to share the address with us), time and date of the login.
  • Purpose of processing: If you choose to login using a third party login feature from either Apple. Facebook or Google, we will receive the data listed above from the third-party provider with your approval to populate your user data in the App, and to verify your identity. Please note that if you use a third party login, this third party-provider may also process your data (ID, metadata, some app events and device metric). We are not responsible for and do not have control over this data processing. You can learn more about this in Apple's Privacy Policy / Facebook’s Privacy Policy / Google's Privacy Policy.
  • Use justification: Legitimate interest (Article 6 (1)(f) GDPR). Our legitimate interest is to provide users who do not have an email account or who wish to log in with their existing third-party account the option to use our Services / Contract performance (Article 6 (1)(b) / Consent (Article 6 (1)(a) GDPR).
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with section 3.2. Data processed by the third party provider, which we do not control, may remain in its servers. Should you delete your Facebook or Google account or stop using your Apple device and wish to use the App, you will be directed to sign-in with an email or other login procedure.

3.5 Symptom assessment and health related features

  • Types of data: profile ID, profile name (when applicable) and related personal health data required to provide the assessment such as age, gender, illness symptoms, potential causes of illness symptoms, allergies, pregnancy status, relevant and/or related medical history, geographic location, time and date of assessment.
  • Purpose of processing: When you use the different features of the App we process your data including your health data to provide you with the requested functionality. Our symptom assessment relies on data about yourself and your symptoms to understand your health status, identify and suggest possible causes for the given symptoms (assessment) and present options to address the identified causes as well as other health conditions (e.g. referring you to a doctor/specialist or other health services for follow-up diagnostics, present you information on how to manage your symptoms or informing and inviting you to take part in clinical or other studies). We also process your data when you use other health related features such as the symptom tracker to document and track their symptoms to provide you the used functionality. No data will be shared with any third party without your specific consent.
  • Use justification: Contract performance (Article 6(1)(b) GDPR / Consent (Article 9(2)(a)GDPR) for the processing of your health data. You may revoke/withdraw your consent at any time; however, it is not possible to provide you with our symptom assessment or other health related features without such consent, as they rely on the processing of your health data.
  • Storage duration: As a rule, the storage duration corresponds to the period of processing according to section 3.2a/3.2b. In addition, you may request the deletion of a specific case or delete the case yourself. We will then delete or irreversibly anonymize your case data (such that it cannot be associated with a specific natural person) within 1 month. We will further retain some of your data (see section 7 for more details) but we will not process the data for any other purposes.

3.6 Partner options

  • Types of data: age, gender, illness symptoms, potential causes of illness symptoms, severity (advice level)
  • Purpose of processing: Certain options to address the identified causes may be provided by our partners, such as branded medication or informational materials. When you select to view these partner options, we show you available options based on the determined conditions in your assessment report as possible next steps. The decision which partner options are available for a specific assessment result is made by Ada independent of your specific case. When partner options are available for you based on your symptom assessment you can decide if you would like to view them. Your data is only processed internally at Ada and will not be shared with our partners.
  • Use justification: Consent (Article 9(2)(a)GDPR) for the display of branded care options. Your consent can be revoked by aborting the assessment or closing the medications display (if applicable). Please be aware that information on your use of the branded care options might be shared with our partners in aggregated and anonymous form even when you revoked your consent.
  • Storage duration: The data processing to display the branded care options only takes place as long as you view actually view these options. However, we will store tracking events on your viewing of the branded care options, i.e., to document your consent.

3.7 Assessing your suitability for and inviting you to research to improve Ada

  • Types of data: Email address, account ID, profile name, date of birth, illness symptoms, potential causes of illness symptoms, medical history, allergies, geographic location, time and date of assessment, app usage data and other data that you have provided to us.
  • Purpose of processing: When you allow us to invite you to research projects, we might contact you and suggest participating in specific projects that are either carried out by us or by our research partners. The focus of this research can range from health-related aspects to the design or functionality of our services. We might determine your suitability to participate in research studies based on health information (e.g. general demographics, symptoms and/or past assessments) or based on your overall usage of our product/service. We will contact you via the email-address provided to create an Ada account. If you have also agreed to receive push notifications in the Ada app, we might also contact you this way. Please be aware, that we might also suggest participating in research projects as a way to address your current symptoms and learn more about a suggested condition. In this case Sec. 3.5 above applies. For the avoidance of doubt, your data will only be processed to identify research projects you might be suitable for and invite you to them. You are always free to decide if you actually want to take part and have your data processed for purposes of the study. Only when you specifically agree to do so, will we use your personal data for those research projects or share it with our research partners.
  • Use justification: Consent (Article 6(1)(a) and Article 9(2)(a) GDPR when you consent to participate to such clinical research and that your data needs to be processed for the aforementioned purposes. You may revoke/withdraw your consent at any time (more information about your data subject rights in section 8 below).
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing according to section 3.2. When you request deletion of a specific case or if you delete a case in the App, your case data will no longer be used for this purpose.

3.8 Use of health data for statistical and research purposes

  • Types of data: Account ID (when applicable), case ID, profile ID (when applicable), age, gender, illness symptoms, geographic location, risk factors, assessment results such as potential causes of illness symptoms, medical history, allergies, time and date of assessment, and other relevant and related health data that you may have provided us.
  • Purpose of processing: We process pseudonymized data to carry out aggregate statistics on the results of the symptom assessments conducted by our users. These statistics allow the close analysis of symptoms and health conditions such as prevalence by geography or age groups. We present such aggregated statistics to our partners, always on an irreversibly anonymized basis. To provide these statistics we use the service Tableau by Tableau Software, LLC (“Tableau”). Before we share any data with Tableau, we remove all information that directly identifies you. Your data will be processed within the EU, except for residents of the United States whose data will be processed in the US.
  • Use justification: The processing is necessary for statistical purposes, and we only provide our partners with anonymized and summarized statistics from which the identification of a specific natural person is impossible (Article 9(2)(j) GDPR; Sec. 27 (1) BDSG). Our legitimate interest in processing data for these purposes is to support progress in medical research in line with our entrepreneurial goals which is also in the public interest to improve healthcare such as, but not limited to, analyzing the occurrence and characteristics of diseases. You may, for reasons arising from your particular situation, object to such a processing at any time by writing us here (more information about your right to object in Section 8 below).
  • Storage duration: The storage duration of your data on the basis of which we create the statistics corresponds to the period of processing according to section 3.2. When you request deletion of a specific case or if you delete a case in the App, your case data will no longer be used for this purpose. The statistics are anonymous.

3.9 Use of health data for public health purposes

  • Types of data: Account ID (when applicable), profile name (when applicable), case ID, device ID, age, gender, illness symptoms, geographic location, risk factors, assessment results such as potential causes of illness symptoms, medical history, allergies, time and date of assessment, and other relevant and related health data that you may have provided us.
  • Purpose of processing: We process pseudonymized data for public health purposes (as defined by GDPR recital 54) such as analyzing case data regarding public health trends, rare diseases and threats, and to identify factors that could improve public health such as finding out about the prevalence of specific conditions, the attributes of specific conditions and get insights in specific aspects of assessments. With these analyses we help identify infectious disease outbreaks and monitor their timely and geographic developments (e.g., during COVID-19 pandemic). As our data is also including people who have not consulted yet the health care system, we can better estimate the true burden of diseases. We may share and present the results as summarized statistics to our partners, e.g., in the public health and scientific community, always on an irreversibly anonymized basis. We may also process such types of data to provide you with the best guidance possible by, for example, directing you to the most appropriate care facility and help reduce unnecessary burden for you, but also for health care systems.
  • Use justification: The processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i) GDPR, Article 22 (1)(1)(c) BDSG)). Our legitimate interest in processing data for these purposes is to support public health progress by protecting against serious cross- border threats to health. You may, for reasons arising from your particular situation, object to such a processing at any time by writing us here (more information about your right to object in Section 8 below).
  • Storage duration: The storage duration of your pseudonymized data on the basis of which we create the statistics corresponds to the period of processing according to Section 3.2. When you request deletion of a specific case or if you delete a case in the App, your case data will no longer be used for this purpose.

3.10 Post-market surveillance and medical safety

  • Types of data: Account ID (when applicable), profile name and ID (when applicable), case ID, time and date of assessment, data provided in a case (personal health data required to provide the assessment such as age, gender, geographic location (country), illness symptoms, potential causes of illness symptoms, allergies, pregnancy status, and relevant and/or related medical history), diagnosis of your treating physician, voluntary feedback including health data, assessment result, and data related to software and hardware (such as version numbers, operating system, and device ID). IP address and any events while using the Symptom Assessment.
  • Purpose of processing: To guarantee high quality and safety standards of our medical devices, i.e., the Ada Health App and Ada Assess, it is necessary to systematically monitor their quality, performance and safety (“Post-Market-Surveillance”). We rely on various procedures to detect any potential malfunctions, incorrect assessments, issues with availability or usability or to determine if any improvement, field safety or other corrective action is needed for our medical devices to meet the highest quality and safety standards. We constantly review the quality of the assessment results. Such a review can be prompted by your medically relevant feedbackor a lodged complaint. If you voluntarily share findings of your medical treatment we will use this information for purposes of Post-Market-Surveillance as well. In addition, we are tracking user’s interactions with our medical devices to monitor their usability. To the extent possible, we use pseudonymized or anonymized data and to perform this task. However, in some circumstances your (sensitive) personal information might also be processed in the clear, e.g., where it is necessary to reach out to you.
  • Use justification: The processing is required to comply with our legal obligation to conduct post-market surveillance to ensure the necessary standards of quality and safety of our medical devices under medical device regulations and as provided in the following legal texts (section 22(1)(1)(c) BDSG, Article 9(2)(i) GDPR). The basis of post-market surveillance obligations is Article 83 et seq. and Annex III of the EU Medical Devices Regulation (2017/745/EU).
  • Storage duration: We process your data until no longer necessary for the purposes specified above. The storage duration of your data for this purpose corresponds with our obligation to comply with the necessary standards of quality and safety.

3.11 Share limited information and increase Ada’s impact

  • Types of data: Advertiser ID, download and installation of the App on your mobile device, information on how you found out about us (e.g., via social media or an online article), whether your registration and the creation of a new case with us was successful, and your rating of our App on the App Stores, geographical location, time and date.
  • Purpose of processing: We process some usage data (which does not include personal health data) if you are using the App, to understand how Ada reaches people online. This helps us share relevant information with you and other potential users. For example, if you have already downloaded the App, this means you will no longer see ads asking you to download the App when you’re online. This information also helps us understand how we can reach more people online who may benefit from Ada’s medical expertise. We only use pseudonymized usage data that we collect through our contract processor Adjust GmbH (Saarbrücker Str. 38a, 10405 Berlin, Germany). We will never share your personal health information with advertisers or other third parties for this purpose.
  • Use justification: Consent (Article 6 (1) (a) GDPR).
  • Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected. We will delete the data latest within 45 days.

3.12 Monitor usage to ensure proper use, functioning, maintenance and improvement of the Services and related emails

  • Types of data: Device ID, IP address, operating system and browser type, length of visits to certain pages, and page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date, any events while using our products such as, but not limited to, started assessment or finished assessment.
  • Purpose of processing: We use a limited set of usage data (which does not include personal health data) to ensure the proper use, functioning, maintenance and improvement of our Services for all users.
  • Use justification: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity. We may process the page interaction when you use our Services or receive emails, we may send you to ensure proper reception and assess the service in order to improve it. You may, for reasons arising from your particular situation, object to such a legitimate processing at any time by writing us here (more information about your right to object in Section 8 below).
  • Storage duration: Your data is removed after 15 days, unless a security-relevant event occurs (e.g., a DDoS attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.

3.13 Direct marketing

  • Types of data: Email address, profile name, gender preference.
  • Purpose of processing: We process you data to send you direct marketing (products and services) or communication about any survey that we believe will be of interest to you. We might inform alert you to helpful app functionalities, provide seasonal health advice or send you reminders concerning your assessments. Those messages will not contain any health information about you. You can modify your marketing settings at any time by using the link at the bottom of each marketing email, or by sending your un- subscription request here.
  • Use justification: Consent (Article 6(1)(a) and our Legitimate interest (Article 6(1)(f) GDPR) to inform you about own similar products and services.
  • Storage duration: We will store your data until you revoke your consent or object to the processing based on our legitimate interest.

3.14 Optimizing our marketing initiatives

  • Types of data: Device ID, IP address, operating system and browser type, length of visits to certain pages, and page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date.
  • Purpose of processing: We use a limited set of usage data (which does not include personal health data) to track your page interaction and analyze the data to optimize our marketing initiatives.
  • Use justification: Consent (Article 6 (1) (a) GDPR). You can customize your tracking settings at any time in the privacy settings in the App, or by writing us here.
  • Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected, or you revoke your consent. The storage duration of your data for this purpose corresponds to the period of processing in accordance with Section 3.2. The data we process for the purpose of tracking is removed latest within 45 days.

3.15 Performance reports

  • Types of data: Error, crash reports including device, app and incident specific information (e.g., App Version), IP address, URL, geographic location, time and date.
  • Purpose of processing: We use the above data (which does not include personal health data) both to ensure the functionality of our Services (our Services cannot function properly without this processing) and to prevent any decompiling or otherwise reverse engineering. We only use pseudonymized usage data that we may collect via service of our processor Functional Software Inc., 132 Hawthorne Street, San Francisco, California 94107 USA (“Sentry”). This data may be transmitted to and stored on Sentry’s servers. For more information, please see Sentry’s privacy policy here. We may also send the above personal data to our processor Sumo Logic, a corporation headquartered at 305 Main Street, Redwood City, CA 94063, US. The data collected in the context is not used to link any usage profile with your personal data. Your personal data may be transmitted and stored into the servers of Sumo Logic. Further information can be found in Sumo Logic’s Privacy Statement here.
    We also transfer the personal data to our processor Hound Technology, Inc., 548 Market Street, 25362 San Francisco, CA 94104-5401 (“Honeycomb”). The data processed in this context is pseudonymized and cannot be linked to you by Honeycomb. Ada does not link any usage profile with your personal data. Further information can be found in Honeycomb’s Privacy Policy here.
    We have agreed on Standard Contractual Clauses and additional contractual obligations with each of these service providers. In addition, we will assess, on a case-by-case basis, the risks for your rights and privacy, together with and the necessity to keep them to provide you with our Services. Should you have any question about the additional measures we put in place please feel free to contact us via email to [email protected].
  • Use justification: Legitimate interest (Article 6 (1) (f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity.
  • Storage duration: Your data is removed after 60 days, unless a security-relevant event occurs (for example, a Distributed Denial of Service attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.

3.16 Feedbacks / Surveys

  • Types of data: Feedback that you provide (depending on the survey this may contain personal data and health data), user and contact details (where applicable).
  • Purpose of processing: Ada is relying on feedback and surveys in various scenarios to understand if and how our products can be improved to match your needs. Providing feedback is always voluntary and clearly indicated. When you provide us feedback or take part in a survey, we might also rely on information we already know about you (e.g., your age and sex) or your use of our products to analyze and evaluate your input. We will not use any health data without specifically asking your consent to do so. Please also see Sec. 3.10 above to learn how we use medically relevant feedback you may give us (optional) to guarantee high quality and safety standards of our Symptom Assessment.
  • Use justification: Your consent (Article 6(1)(a)/ 9(2)(a) GDPR ) and where applicable our legitimate interest (Article 6(1)(f) GDPR) to improve your user experience as well as the functionality of our Services and to adjust our actions to your needs based on your input. Under no circumstances will we use the collected data to determine your identity. You can object to the processing and withdraw your consent at any time by aborting the survey or contacting Ada.
  • Storage duration: Your data will be stored until it is no longer required for the survey for which it was collected. This depends on the setup of the individual survey you take part in. Where possible we will anonymize any information that might identify you during the evaluation for further processing.

3.17 Ada Health COVID-19 Risk Severity and Authorized Oral Antiviral Potential Eligibility Questionnaire

  • Categories of data: Data about you (e.g., age group), data about your health, especially your risk factors, your pregnancy status, your symptoms as well as a COVID-19-test result.
  • Purpose of processing: We process the information you provide in the Ada Health COVID-19 Risk Severity and Authorized Oral Antiviral Potential Eligibility Questionnaire (“Questionnaire”) to determine your risk for progressing a severe COVID-19 infection and to propose appropriate options to manage your risk. No personal data that directly identifies you will be collected as part of the Questionnaire. To assess the effectiveness and usability of the Questionnaire, we also anonymize your data to compile usage statistics.
    If you access our Website from the United States of America you will be referred to a separate US version of the Questionnaire. Please be aware that both this US version of the Questionnaire as well as the Website is provided by our US subsidiary Ada Health, Inc. and is subject to a separate Privacy Policy.
  • Legal basis: Consent (Article 9 (2)(a) DSGVO) as well as necessity for the fulfilment of the user contract for the EQ.
  • Storage duration: We store the data collected in the EQ for a period of 11 years, as part of our obligations to conduct post-market-surveillance of a medical device. The data is not used for any other purposes.

3.18 Push Notifications

  • Types of data: Ada ID, usage data, email, first name, language, country, signup source.
  • Purpose of processing: Based on your consent, we can contact you via push notifications in the Ada app to help you make the best use of Ada’s functionalities. We might inform you about updates regarding your specific symptom assessment such as suggesting newly available options to manage your symptoms, alert you to helpful app functionalities or provide seasonal health advice. For this purpose, we might process your health data. To deliver the push notifications we use the Service “Braze” of the Braze Inc., 330 W 34th St 18th floor, New York, NY 10001, USA as our technical service provider which processes your data in the US. Braze only has access to a limit data set in order to be able to technically deliver the push notification to your device. It does not have access to your health or app usage data. We have entered into a Data Processing Agreement with Braze whereby Braze is solely allowed to process your data according to Ada’s instructions. This agreement also includes the Standard Contractual Clauses.
  • Use justification: Consent (Article 6(1)(a)/ 9(2)(a)/ 49(1)(a) GDPR) for the processing of your data including health data and the processing of your data in the US. You ma y revoke/withdraw your consent and change your device settings to block notifications at any time; however, it is not possible to provide you with push notifications without such consents.
  • Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected, or you revoke your consent.

4. Cookies and tracking on our Website

Our Website uses so-called “cookies”. Cookies are text files that are stored in the Internet browser or by the Internet browser on your device (computer, tablet, or phone). We use the term “cookies” to refer to all tools that collect data on our Website (e.g., IP addresses, place and time of the visit) including pixels. Your data collected in this way is pseudonymized and is not stored together with your other personal data. This processing is carried out on a legal basis and, where required by law, based on your consent.

For detailed information on the cookies we use, the purposes for which we use them and to manage your Cookie preferences, see our Cookie Policy.

Ada also measures the success of its marketing campaign with cookie-less measures. To do this, Ada relies on information your browser automatically shares when you click on one of our ads and are directed to our Services. This way, we count how often a certain ad is clicked to determine which of our campaigns is most effective. Data is only processed in aggregated form. Ada is not able to identify you based on the information collected this way. Your data is not shared with third parties.

5. Where do we store your personal data

The personal data that we collect from you is stored in the European Union on Cloud Servers of Amazon Web Services EMEA S.A.R.L. (“AWS”) with a business seat in Luxembourg and on the Cloud Servers of Google Commerce Limited ("GCL"), a company incorporated under the laws of Ireland, with its offices at Gordon House, Barrow Street, Dublin 4, Ireland. This data may, however, be processed by sub- processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement, as long as the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR , such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments.

Sensitive information between your browser and our Website is transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

6. Disclosure of your personal data

6.1 We use technical service providers to operate and maintain our Services, who act as our processors based on a data processing agreement. A full list of our third-party processors processing your personal data on our behalf and strictly according to section 3 above can be found here. Where we use Service providers who process personal data on our behalf outside the EEA (or “third countries”) we do so with the appropriate safeguards for your data subject rights.
To a limited extent, we do use service providers situated in the US. In its decision C-311/18 (Schrems II) CJEU the held the EU-US Privacy Shield is insufficient to safeguard your rights in the US and therefore invalid. Following this decision we have reached out to our US-based service providers and decided on alternative safeguards on a case by case basis in accordance with the guidance of European Data Protection Board.
Where we cannot provide these appropriate safeguards we ask for your specific consent before sharing your data.
More details on third country service providers and the measures taken to ensure your rights are detailed in the relevant sub-sections of section 3 above.

6.2 In addition, we do not transfer your personal data to third parties - with the exception, when applicable, of the purposes listed below

  • Use justification: The legal basis for the transfer and processing of your personal data by the processor corresponds to the legal basis on which we, as data controller, rely (always in compliance with section 3 above).

6.3 If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to sell our business or assets / where required by applicable law: consent (Article 9(2)(a) GDPR): for the processing of special categories of data, i.e., your personal health data.

6.4 If we or, substantially, all of our assets are acquired by a third party, personal data about our users will be one of the transferred assets.

  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to sell our company or assets / where required by applicable law: consent (Article 9(2)(a) GDPR): for the processing of special categories of data, i.e., your personal health data.

6.5 If we are required on the basis of EU law or the law of a Member State to disclose or share your personal data.

  • Use justification: Legal obligation (Article 6(1)(c) GDPR).

6.6 We may disclose certain data to organizations involved in clinical trials and other types of research where you have explicitly authorized us to do so.

  • Use justification: Consent (Article 9(2)(a) GDPR).

6.7 We might engage in affiliate programs for US-based users. In that case, we may share the information with those affiliate program partners that you were directed to their services by us. This is done for billing purposes. We do not share any Personal Information which can directly identify you. However, when you register for the services of our affiliate program partners you may be asked to provide Personal Information that allows them to identify you (for example the information you share for booking an appointment through our affiliate program partners’ platforms etc.)

7. How long do we retain your personal data

We will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.

If your personal data is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principle.

After the processing of your data is no longer necessary for the purposes outlined in section 3 or your account is deleted (see section 3.2) we will securely and separately store some of your data in accordance with statutory retention obligations applicable to us and reasonable business needs.

We will retain accounting data in accordance with the commercial and tax law storage obligations of six or ten years (§ 147 German Tax Code, § 257 German Commercial Code).

We will retain Post-Market-Surveillance data (incl. health data) in accordance with our storage obligations according to the medical device law.

We will retain data (incl. health data) in relation to your use of our Services for three or ten years in accordance with our business needs for the purposes of establishing, exercising or defending against legal claims.

If you were a user of the UK Doctor Chat services (which is no longer available since 23 March 2018), your consultation details may be retained by us for a period up to 10 years according to the UK Records Management Code of Practice Retention Schedule, or if otherwise required by Care Quality Commission (“CQC”).

If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely erased.

8. Your data subject’s rights

Under GDPR you have various rights in relation to your personal data (as listed below). All of these rights can be exercised by contacting us via our contact form, by selecting “Exercising My Data & Privacy Rights”.

Verification: in order to verify your request, we will take reasonable steps such as asking you to send us a confirmation from the email address associated with your account, so that we can verify that you are the owner of this email account. If there is no email address associated with your account, we may ask you for proof of ID.

  • Right to withdraw consent: Where the processing of your data relies on your prior consent, you have the right to withdraw such a consent at any time by notifying us here. By withdrawing your consent, the lawfulness of the processing based on consent up until the point of withdrawal will not be affected.
  • Right to object: You have a right to object under the conditions of Article 21 GDPR. Below you will find more detailed information:
    Right to object where the processing is based on legitimate interests: As a data subject, you have the right to object on grounds relating to your particular situation, at any time, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
    Right to object where we process your personal data for statistical purposes: If we process your personal data for statistical purposes pursuant to Article 9(2)(j) GDPR / section 27(1) BDSG, you have the right to object to such processing for reasons arising from your particular situation. In the event of such an objection, we will no longer process the personal data concerned for this purpose, unless the processing is necessary to fulfil a task in the public interest, or if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of statistical purposes and the continuation of processing is necessary for the fulfilment of statistical purposes.
    Right to object where we process your personal data for public health purposes: If we process your personal data for public health purposes pursuant to Article 9(2)(i) GDPR, / section 22 (1)(1)(c) BDSG, you have the right to object to such processing for reasons arising from your particular situation. In the event of such an objection, we will no longer process the personal data concerned for this purpose, unless the processing is necessary to fulfil a task in the public interest, or if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of public health purposes and the continuation of processing is necessary for the fulfilment of public health purposes.
    Right to object to direct marketing: Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes. To exercise your rights of objection, you may reply by email to the direct marketing email you receive from us or contact us at any time here.
  • Right to be informed: As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 GDPR. This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to the personal data and the information listed in Article 15(1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
  • Right to erasure / ‘Right to be forgotten’: As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 GDPR. This means that you generally have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies. You can do this by deleting your account, in the App, at any time. If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17(2) of the GDPR. The right to erasure (“right to be forgotten”) does not by exception apply if the processing is necessary for one of the reasons listed in Article 17(3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17(3)(b) and (e) GDPR).
  • Right to restriction of processing: As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Article 18(1)(a) GDPR). Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4(3) GDPR).
  • Right to data portability: As a data subject, you have a right to data portability under the conditions provided in Article 20 GDPR. This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract (pursuant to Article 6(1)(b) GDPR), and where the processing is carried out by automated means (Article 20(1) GDPR). In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible (Article 20(2) GDPR).
  • Right to Rectification: As a data subject, you have the right to rectification under the conditions provided in Article 16 GDPR. This means in particular that you have the right to receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.
  • Right to complain: As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 GDPR. The supervisory authority responsible for us is the Berlin Data Protection Authority in Germany (Berliner Beauftragte für Datenschutz und Informationsfreiheit, Address: Friedrichstr. 219, 10969 Berlin; Telephone: 030 13889-0; E-Mail: [email protected]).

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

9. International Data Protection

For residents of countries outside the EU, the following additional information in accordance with the respective local data protection laws apply.

Those rights apply in addition to your rights as data subject under the GDPR as explained in Sec. 8 above and can be exercised in the manner described there. Where you exercise both your GDPR and your local data protection laws rights simultaneously, Ada will guarantee those rights in addition to each other.

The additional information can always be found in this English version of the privacy policy as well as the respective national language version (where available).

9.1 Brazil

If you are a Brazilian resident, Brazilian law requires us to provide you with some additional information regarding your rights with respect to your “personal information” (as defined in the “Lei Geral de Proteção de Dados” (hereinafter the “LGPD”) that came into force on September 18th, 2020).

To find out what categories of your personal information are processed and what are the purposes of you can read the section 3 titled “Which personal data we may collect and process, why and for how long” within this document.

We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

  • your consent to the relevant processing activities;
  • protection or physical safety of yourself or a third party;
  • compliance with a legal or regulatory obligation that lies with us;
  • the carrying out of public policies provided in laws or regulations or based on contracts, agreements and similar legal instruments;
  • studies conducted by research entities, preferably carried out on anonymized personal information;
  • the carrying out of a contract and its preliminary procedures, in cases where you are a party to said contract;
  • the exercising of our rights in judicial, administrative or arbitration procedures;
  • the protection of health – in procedures carried out by health entities or professionals;
  • our legitimate interests, provided that your fundamental rights and liberties do not prevail over such interests;

9.1.1 Your Brazilian privacy rights

You have the right to:

  • obtain confirmation of the existence of processing activities on your personal information;
  • access to your personal information;
  • have incomplete, inaccurate or outdated personal information rectified;
  • obtain the anonymization, blocking or elimination of your unnecessary or excessive personal information, or of information that is not being processed in compliance with the LGPD;
  • obtain information on the possibility to provide or deny your consent and the consequences thereof;
  • obtain information about the third parties with whom we share your personal information;
  • obtain, upon your express request, the portability of your personal information (except for anonymized information) to another service or product provider, provided that our commercial and industrial secrets are safeguarded;
  • obtain the deletion of your personal information being processed if the processing was based upon your consent, unless one or more exceptions provided for in art. 16 of the LGPD apply;
  • revoke your consent at any time;
  • lodge a complaint related to your personal information with the ANPD (the National Data Protection Authority) or with consumer protection bodies;
  • oppose a processing activity in cases where the processing is not carried out in compliance with the provisions of the law;
  • request clear and adequate information regarding the criteria and procedures used for an automated decision; and
  • request the review of decisions made solely on the basis of the automated processing of your personal information, which affect your interests. These include decisions to define your personal, professional, consumer and credit profile, or aspects of your personality.

You will never be discriminated against, or otherwise suffer any sort of detriment, if you exercise your rights.

9.1.2 How to file your request

You can file your express request to exercise your rights free from any charge, at any time, by using the contact details provided in this document (e.g. an email at [email protected]), or via your legal representative.

9.1.3 How and when we will respond to your request

We will strive to promptly respond to your requests.

In any case, should it be impossible for us to do so, we’ll make sure to communicate to you the factual or legal reasons that prevent us from immediately, or otherwise ever, complying with your requests. In cases where we are not processing your personal information, we will indicate to you the physical or legal person to whom you should address your requests, if we are in the position to do so.

In the event that you file an access or personal information processing confirmation request, please make sure that you specify whether you’d like your personal information to be delivered in electronic or printed form.

You will also need to let us know whether you want us to answer your request immediately, in which case we will answer in a simplified fashion, or if you need a complete disclosure instead.

In the latter case, we’ll respond within 15 days from the time of your request, providing you with all the information on the origin of your personal information, confirmation on whether or not records exist, any criteria used for the processing and the purposes of the processing, while safeguarding our commercial and industrial secrets.

In the event that you file a rectification, deletion, anonymization or personal information blocking request, we will make sure to immediately communicate your request to other parties with whom we have shared your personal information in order to enable such third parties to also comply with your request – except in cases where such communication is proven impossible or involves disproportionate effort on our side.

9.1.4 Transfer of personal information outside of Brazil permitted by the law

As Ada is based in Germany, we only transfer your data including health related data to Germany to provide our services. In addition to that Ada uses third party services outlined in section 3 to transfer data to third countries.

We are allowed to transfer your personal information outside of the Brazilian territory in the following cases:

  • when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, according to the legal means provided by the international law;
  • when the transfer is necessary to protect your life or physical security or those of a third party;
  • when the transfer is authorized by the ANPD;
  • when the transfer results from a commitment undertaken in an international cooperation agreement;
  • when the transfer is necessary for the execution of a public policy or legal attribution of public service;
  • when the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

9.2 Canada

As a resident of Canada, Ada guarantees your rights according to Canadian privacy laws, namely the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or any superceding provincial privacy laws.

9.2.1 PEPEDA

As a resident of Canada, PIPEDA grants you the right to access (Sec. 4.9. of Schedule 1) and correct (Sec. 4.9.5. of Schedule 1) your information.

You can exercise these rights as described in Sec. 8 above. Please note that any restriction or limitations of those rights under GDPR do not apply. In addition, you also have the right to challenge compliance with the regulation. To do so, please contact Ada’s Data Protection Officer as [email protected].

If you live in the Province of Alberta, British Columbia or Quebec you are subject to provincial privacy laws that supercede PIPEDA. Please see below for your privacy rights as a citizen of those provinces.

9.2.2 Alberta

To the extent that these differ from the corresponding GDPR rights as detailed above, Ada also provides citizens of the Province of Alberta with the following rights according to Personal Information Protection Act of Alberta (“PIPA Alberta”):

  • Right to access and information according to Sec. 24 PIPA Alberta
  • Right to correction, Sec. 25 PIPA Alberta

You can exercise these rights as detailed above in Sec. 8 of this Privacy Policy.

Please be aware that the legal bases for processing activities as described above are those of the GDPR. Where the processing is based on a consent, this will be considered a consent under PIPA Alberta as well. Where the processing is legally required under applicable legislation or based on Ada’s legitimate interest, this will be considered to be consent by notice according to Sec. 8 (3) with this Privacy Policy constituting the notice. Please be aware that if you decline or object to a processing activity mandated by applicable legislation Ada will not be able to provide you with its Services.

9.2.3 British Columbia

To the extent that these differ from the corresponding GDPR rights as detailed above, Ada also provides citizens of the Province of British Columbia with the following rights according to Personal Information Protection Act of British Columbia (“PIPA BC”):

  • Right to access and information according to Sec. 23 PIPA BC
  • Right to correction, Sec. 24 PIPA BC

You can exercise these rights as detailed above in Sec. 8 of this Privacy Policy.

Please be aware that the legal bases for processing activities as described above are those of the GDPR. Where the processing is based on a consent, this will be considered a consent under PIPA BC as well. Where the processing is based on Ada’s legitimate interest, this will be considered to be an implicit consent according to Sec. 8 (3) respectively with this Privacy Policy constituting the notice. Where the processing is legally required under applicable legislation a consent is considered not to be required according to Sec. 12 (1) (h) PIPA BC. Please be aware that if you decline or object to a processing activity mandated by applicable legislation Ada will not be able to provide you with its Services.

9.2.4 Quebec

To the extent that these differ from the corresponding GDPR rights as detailed above, Ada also provides citizens of the Province of Quebec with the following rights according to the Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Private Sector Act”):

  • Right to access and a copy of your information according to Sec. 27 Quebec Private Sector Act
  • Right to correction of your information, Sec. 28 Quebec Private Sector Act
  • Right to stop dissemination of your information, Sec. 28.1 Quebec Private Sector Act

You can exercise these rights as detailed above in Sec. 8 of this Privacy Policy.

Please be aware that the legal bases for processing activities as described above are those of the GDPR. Where the processing is based on a consent, this will be considered a consent under Quebec Private Sector Law as well. Where personal information is not directly collected from you, e.g. through technical means as described in Sec. 3 above. Where your personal information is used for other purposes than you explicitly or implicitly consented to, such use is limited to permissible causes as stated in Sec. 12 (3) and (4) of the Quebec Private Sector Act. Your information is used to ensure the proper functionality of Ada’s services and to comply with legal requirements to monitor and improve the use and usability of its services.

9.3 Singapore

As a resident of Singapore, Ada guarantees your rights to information and correction according to Art. 21 and 22 of the Personal Data Protection Act (PDPA). Those rights apply in addition to your rights as data subject under the GDPR as explained in Sec. 8 above and can be exercised in the manner described there. Where you exercise both your GDPR and your PDPA rights simultaneously, Ada will guarantee those rights in addition to each other.

Regarding the legal basis for the processing of your personal data as explained in Sec. 3, please note that where the Use justification provided refers to the legal basis of necessity to perform a contract (Art. 6 I lit. a GDPR) this is considered to qualify as Deemed Consent according to Art. 15 PDPA. Where the Use justification provided refers to the legal basis of legitimate interest (Art. 6 I lit. f GDPR) this is considered to qualify as Deemed Consent by Notification according to Art. 15A PDPA with this privacy policy constituting the notice. Where the Use justification provided refers to the legal bases fulfilling a legal obligation (Art. 6 I lit. c GDPR) or processing for a public interest in the area of public health (Art. 9 lit. I GDPR) processing without your consent is required or authorised under the PDPA or any other written law. Where the description of the processing activity in Sec. 3 above specifies consent as the legal basis, this is considered to qualify as consent according to Sec. 14 PDPA. Please also see the table below:

Legal basis under GDPR as described in Sec. 3Legal basis under PDPA
Performance of a contract, Art. 6 I lit. a GDPRDeemed Consent according to Art. 15 PDPA
Legitimate interest, Art. 6 I lit. f GDPR, except Sec. 3.13.Collection, use and disclosure without consent, Art. 17 (2), First Schedule Part 3
Performance of a legal obligation (Art. 6 I lit. c GDPR); processing for a public interest in the area of public health, Art. 9 lit. I GDPR)Consent not needed, Art. 13 (b) PDPA
Consent, Art. 6 I lit. a and Art. 9 II lit. a GDPR, Sec. 3.13.Consent, Art. 14 PDPA

9.4 Switzerland

As a resident of Switzerland, Ada guarantees your rights provided for in the Swiss Data Protection Act (DSG). Those rights apply in addition to your rights as data subject under the GDPR as explained in Sec. 8 above and can be exercised in the manner described there. Where you exercise both your GDPR and your DSG rights simultaneously, Ada will guarantee those rights in addition to each other.

Ada guarantees the following rights under either the GDPR or the DSG:

Data Subject RightGDPRSwiss DSGNew Swiss DSG (as applicable from 01.09.2023)
InformationArt. 15Art. 8Art. 25
CorrectionArt. 16--
DeletionArt. 17--
Limitation of processingArt. 18-Art. 26
Copy of Data/ Data portabilityArt. 15 III, 20-Art. 28

The processing of your sensitive personal health data is either based on your explicit consent or, where applicable, our legal obligations as a medical device manufacturer under MDR.

Other legal bases for the processing of your personal data under GDPR as described above translate into justifications of the DSG as follows:

Reason for processingLegal basis under GDPRJustification under DSG
Necessity to perform a contractArt. 6 (2) lit. bArt. 31 (2) lit. a
Legitimate interest for statistical purposes (Sec. 3.8)Art. 9 (2) lit. jArt. 31 (2) lit. e

9.5 United States

9.5.1 California

If you are a California resident (as defined in the section 17014 of Title 18 of the California Code of Regulations), California law requires us to provide you with some additional information regarding your rights with respect to your “personal information” (as defined in the California Consumer Privacy Act (hereinafter the “CCPA”) that came into force on January 1st, 2020). This Section 9 supplements the information found elsewhere in this Privacy Policy.

For purposes of the CCPA, references to “Ada” as defined in this Privacy Policy include its US affiliate Ada Health, Inc.

Ada may collect the following CCPA categories of personal information from you based on the Services you use:

CategoryExamplesCollected and Processed by Us
A. Identifiers.A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.Yes
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.Some personal information included in this category may overlap with other categories.Yes
C. Protected classification characteristics under California or federal law.Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).Yes
D. Commercial information.Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.Yes
E. Biometric information.Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.Yes
F. Internet or other similar network activity.Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.Yes
G. Geolocation data.Physical location or movements.No
H. Sensory data.Audio, electronic, visual, thermal, olfactory, or similar information.No
I. Professional or employment-related information.Current or past job history or performance evaluations.No
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.No
K. Inferences drawn from other personal information.Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.No

We did not during the preceding 12 months, do not currently, and will not in the future sell your personal information to third parties (and will never do it without providing a right to opt out). Except as disclosed in this Section 9, we do not transfer your personal information to third parties.

We may transfer your personal data to third party processors in order to achieve the purposes of the processing listed in Section 3 above, but only with the third-party processors with whom we have a data protection agreement in place. A full list of our third-party processors can be found here. We may also share your personal information by disclosing it to a third party for a business purpose, and for any other purpose with your consent. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, we have disclosed personal information for a business purpose to the categories of third parties indicated in the chart below.

Personal Information CategoryCategory(ies) of Third-Party RecipientsBusiness Purpose
A: Identifiers.Customers, service providers, affiliates and businessTo provide our Services to you and to process your orders and results.
B: California Customer Records personal information categories.Customers, service providers, affiliates and business partnersTo provide our Services to you and to process your orders and results
C: Protected classification characteristics under California or federal law.Customers, service providers, affiliates and business partnersTo provide our Services to you and to process your orders and results
D: Commercial information.Service providers and affiliates.To provide our Services to you and to process your orders and results
E: Biometric information.Customers, service providers, affiliates and business partners.To provide our Services to you and to process your orders and results
F: Internet or other similar network activity.Service providers and affiliates.To provide our Services to you.
G: Geolocation data.NoneN/A
H: Sensory data.NoneN/A
I: Professional or employment-related information.NoneN/A
J: Non-public education information.NoneN/A
K: Inferences drawn from other personal information.NoneN/A

CCPA provides California consumers the following rights (which does not interfere with GDPR):

  • Right to request disclosure of any personal information we collected (Article (1798.100) (a) CCPA). This means in particular that you have the right to request disclosure of the categories of personal information we collected from you, together with the categories of sources from which it was collected, the purpose of the collection, the categories of third parties with whom we shared your personal information, and the specific pieces of personal information that have been collected (Article 1798.110 (a) CCPA).
  • Right to request deletion of any personal information that we collected from you (Article (1798.105) CCPA). This means that after we have verified your request to delete your personal information, we shall delete it from our records and direct any service providers to delete your personal information from their records, except when Article 1798.105 (d) CCPA is applicable (e.g. in case the personal information is necessary to provide the Services, to detect security incidents, to identify and repair errors that impair existing intended functionality of the Services, to engage statistical research in the public interest, or to comply with a legal obligation).

In addition to the possibility to contact us through our contact form by selecting “Exercising My Data & Privacy Rights”, you can exercise any rights under CCPA or request further information regarding your rights by calling us through our hotline.

9.5.2 Washington

As a resident of Washington (State), Ada guarantees your rights regarding the processing of “Consumer health data” according to the My Health My Data Act (“MHMDA”). Those rights apply in addition to your rights as data subject under the GDPR as explained in Sec. 8 above and can be exercised in the manner described there. Where you exercise both your GDPR and your MHMDA rights simultaneously, Ada will guarantee those rights in addition to each other.

You may have the following rights under the MHMDA:

  • The right to confirm whether Ada is collecting, sharing, or selling your consumer health data and to access this data, including a list of all third parties and affiliates with whom Ada has shared or sold the consumer health data and a contact to these third parties (email or other), Sec. 6 (1) (a) MHMDA
  • The right to withdraw consent from the collection and sharing of your consumer health data (where applicable), Sec. 6 (1) (b) MHMDA
  • The right to have your consumer health data deleted, Sec. 6 (1) (c) MHMDA

Please be aware, that the legal bases for the processing activities described above in Sec. 3 are those of the GDPR and differ from the MHMDA. Where the legal basis is indicated as consent this is equally applicable for purposes of the MHMDA. Those consents can be withdrawn according to Sec. 6 (1) (c). All processing activities based on a legal basis other than consent are considered to be necessary to provide a service that you requested according to Sec. 5 (1) (ii).

We only collect Consumer health data directly from you. Please be aware that we will also automatically collect data about you, your device or your usage of our services as indicated above. This data does not contain any information about your health.

10. Changes to this policy

Any changes we make to our Privacy Policy in the future will be posted on this page, and where appropriate, notified to you by email, notifications via the App, or by any other available means. We therefore encourage you to review it from time to time to stay informed about the way we are processing your data.