App Privacy Policy

General Information on Data Processing

The following privacy policy pertains to the app "rectify", hereinafter also referred to as "the app". It is developed by MinkTec GmbH, hereinafter also referred to as "we".

Scope of Processing Personal Data

We generally process our users' personal data only to the extent necessary to provide the services of "rectify". The processing of our users' personal data occurs only after their explicit consent. It is expressly not in MinkTec's interest to draw conclusions about individuals. MinkTec reserves the right to pass on anonymized datasets of posture and movement data to third parties for research purposes.

Cloud Hosting

User accounts, online storage, and the database are provided by the provider Supabase Inc. Supabase is a US company. User data is stored encrypted on servers in Frankfurt am Main. Encryption is also used for transmission to the server.

User Account

To create an optional user account, the following information is collected:

  • Name
  • Email address

rectify supports login with a Google account or an Apple ID. If this login option is chosen, we gain access to the name and email address specified in the profile. We DO NOT gain access to the password.

Further information can be provided voluntarily. This includes:

  • Profile picture
  • Username
  • Biography
  • Employer (in the case of corporate health management projects)

Survey

To improve personalization, rectify collects data about users. Providing this data is voluntary. It includes:

  • Age
  • Gender
  • Weight
  • Height
  • Prevalence of back pain
  • Type of professional activity (e.g., office job, physically active)
  • Exercise habits
  • Sports behavior (e.g., memberships in sports clubs)
  • Myopia (nearsightedness)
  • Hobbies
  • Daily habits (e.g., frequency of walks)

Posture and Movement Data

MinkTec processes posture and movement data automatically generated by the FlexTail® (sensor strip) in the sensor shirt. To continuously improve the evaluation algorithms in the rectify app, we store your movement data in the cloud hosted by Supabase. The movement data is encrypted both during transport and storage.

Further Health Data

The app can, if the user explicitly allows it, read health data from Google Health (on an Android device) or Apple Health (on an iOS device) and include it in the analysis of movement data.

Telemetry

To continuously improve the user experience with rectify, information about usage activity is collected. This data is collected by the US provider PostHog Inc. PostHog stores this data in Frankfurt am Main.

This includes:

  • Smartphone model
  • Operating system version
  • Duration and frequency of use of rectify functions
  • Operating system language
  • Geolocation (city or state)

IP address collection is deactivated in PostHog.

Legal Basis for Processing Personal Data

Insofar as we obtain consent from the data subject for processing operations of personal data, Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for carrying out pre-contractual measures.

Insofar as processing personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis for the processing.

Processing of Health Data

If health data is processed, consent for data processing according to Art. 9(2)(a) and processing for scientific research purposes according to Art. 9(2)(j) serve as the legal basis.

Data Deletion and Storage Duration

Personal data will be deleted as soon as the purpose of storage no longer applies. This is the case as soon as the evaluation of the data is fully completed or after 5 years at the latest. Storage may extend beyond this period if provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the mentioned standards expires, unless there is a necessity for further storage of the data for the conclusion or fulfillment of a contract. Furthermore, every person has the right to erasure of all personal data according to Art. 17 GDPR (see below).

Rights of the Data Subject

The following list includes all rights of the data subjects under the GDPR. Rights that are not relevant to one's own website need not be mentioned. The list can be shortened accordingly.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:

Right of Access

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing exists, you can request the following information from the controller:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data being processed;
  3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
  4. the planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage duration;
  5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. all available information about the origin of the data if the personal data are not collected from the data subject;
  8. the existence of automated decision-making, including profiling, according to Art. 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information about whether the personal data concerning you is transferred to a third country or an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

Right to Rectification

You have a right to rectification and/or completion against the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the correction without delay.

Right to Restriction of Processing

Under the following conditions, you can request the restriction of processing of personal data concerning you:

  1. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims, or
  4. if you have objected to processing pursuant to Art. 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override yours.

If the processing of personal data concerning you has been restricted, this data – apart from storage – may only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.

Right to Erasure

Obligation to Erase

You can request the controller to erase personal data concerning you without undue delay, and the controller is obliged to erase this data without undue delay where one of the following grounds applies:

  1. The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. You withdraw your consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and where there is no other legal ground for the processing.
  3. You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
  4. The personal data concerning you have been unlawfully processed.
  5. The erasure of personal data concerning you is required for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
Information to Third Parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Exceptions

The right to erasure does not apply to the extent that processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in section (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defense of legal claims.

Right to Notification

If you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about these recipients by the controller.

Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR; and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. Freedoms and rights of others shall not be adversely affected hereby.

The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Right to Withdraw Data Protection Consent

You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between you and the data controller;
  2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.