Privacy policy

version dated 22 June 2026

Your privacy is important to us. Below, we explain what data we process when you use the Manoa app, for what purposes, and what rights you have. This privacy policy is provided for your information only (Articles 13 and 14 of the GDPR); consent is obtained separately within the app in accordance with the respective purpose of processing. Optional consents are voluntary and are not a prerequisite for using the Manoa app.

1 Data Controller and EU Representative

The data controller responsible for processing your data is Pathmate Technologies AG, Josefstr. 219, 8005 Zurich, Switzerland, email address: datenschutz@pathmate.app.

As the representative of Pathmate Technologies AG in the EU pursuant to Article 27 of the GDPR, you can contact Pathmate Technologies GmbH, Glücksteinallee 25, 68163 Mannheim, Germany, at the email address datenschutz@pathmate.app.

2 Contact details of the Data Protection Officer

We have appointed a Data Protection Officer for our company.

You can contact our Data Protection Officer:

  • By email at datenschutz@pathmate.app or
  • by post at the data controller’s postal address, marked ‘For the attention of the Data Protection Officer’.

3 Rights of the data subject

If your personal data is being processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller.

You may exercise your data protection rights at any time and obtain information about the data we hold and process about you, have your data rectified or supplemented, object to the processing of your data, or request the erasure of your personal data. You will find our contact details at the beginning of this document. You may only exercise your data protection rights (access, rectification, supplementation, objection) by providing an individual numeric code and/or request the erasure of your data directly within the app. Alternatively, you may exercise your data subject rights informally by emailing datenschutz@pathmate.app. The individual numeric code is used solely for identity verification and must not hinder the exercise of your rights. We usually respond to enquiries within one month (Article 12(3) of the GDPR).

Your rights at a glance. Under the GDPR, you are entitled to the following rights:

  • Right of access (Article 15 of the GDPR): Confirmation of and information regarding the data processed about you, the purposes, recipients, retention period and origin, as well as any transfers to third countries and the safeguards in place for such transfers.
  • Rectification (Article 16 of the GDPR): Rectification of inaccurate data and completion of incomplete data.
  • Erasure (Art. 17 GDPR): Erasure of your data, provided that there is no legal obligation to retain it or any other grounds for exemption.
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR): Receipt of the data you have provided in a structured, commonly used and machine-readable format, provided that the processing is based on consent or a contract and is carried out by automated means.
  • Objection (Art. 21 GDPR): The right to object to processing carried out on the basis of Art. 6(1)(f) GDPR on grounds relating to your particular situation; and to object to direct marketing at any time.
  • Withdrawal of consent (Article 7(3) of the GDPR): at any time with effect for the future; the lawfulness of the processing carried out prior to withdrawal remains unaffected.
  • No fully automated decision-making (Art. 22 GDPR) with legal or similarly significant effects; no such decision-making takes place in the Manoa app.
  • Lodging a complaint with a supervisory authority (Article 77 of the GDPR).
  • To exercise your rights, simply send an informal message to the contact details provided at the beginning of this document. If your enquiry relates to special categories of personal data (health data), we may request suitable proof of identity for verification purposes.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

  • The competent supervisory authority for Pathmate Technologies GmbH is the State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart.
  • The Federal Data Protection and Information Commissioner (EDÖB), Feldeggweg 1, 3003 Bern, is responsible for Pathmate Technologies AG.

4 Information for users in Switzerland

As the Manoa app is also available in Switzerland, the Swiss Data Protection Act (revDSG) may apply to the processing of your personal data; Pathmate Technologies AG is the data controller in this respect. To avoid repetition, the provisions of this privacy policy apply mutatis mutandis within the scope of the revDSG in this case. In particular, the following correspondences apply:

  • ‘Special categories of personal data’ (GDPR) correspond to ‘personal data requiring special protection’ (Art. 5(c) revDSG); ‘transfer to a third country’ corresponds to ‘disclosure abroad’ (Art. 16 et seq. revDSG).
  • Where we rely on a legal basis under Article 6 or Article 9 of the GDPR, processing within the scope of the revDSG is based on the corresponding legal justification or your consent (Art. 30 et seq. revDSG); for personal data requiring special protection, we will obtain your explicit consent.
  • Your rights as a data subject (Section 3 ‘Rights of the data subject’) apply mutatis mutandis; under the revDSG, these arise in particular from Art. 25 (access to data), Art. 28 (disclosure and transfer of data) and Art. 32 (rectification).
  • The competent authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern.

5 Information on processing activities

5.1 Information provided prior to completion of registration

We would like to give our users the opportunity to stay informed, for example, if the user’s health insurance does not yet support Manoa or if new ways of using Manoa become available. This means, for example, that if your insurance provider starts supporting Manoa in future or if we wish to send an access code to selected users, you will be informed.

Purposes

Marketing communications.

Types of data

Your contact details, such as your email address.

Legal basis

Your consent pursuant to Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR.

Retention period

Until you withdraw your consent.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of any processing carried out prior to the withdrawal. Proof of your consent and your withdrawal will be retained for three years following the date of your withdrawal.

You can withdraw your consent at any time by sending an email to datenschutz@pathmate.app (please use the email address you have provided for this purpose).

5.2 Registration in the app

Purposes

Registration in the app, proof that you have reached the minimum age for using the app, and proof of your consent.

Types of data

  • First name, surname;
  • Pseudonym/nickname;
  • Date of birth;
  • Gender;
  • Email address;
  • Name of insurance provider or health insurance fund;
  • Insurance number (separate consent is obtained within the app);
  • Text entries in the chat, answers to questions in the chat and quiz questions.

To document the consents given, we also store the time at which consent was given and the associated IP address.

Legal basis

Your consent to the terms of use for the app in accordance with Article 6(1)(b) of the GDPR, in conjunction with your consent to the processing of health data relating to you for the purpose of performing the terms of use in accordance with Article 9(2)(a) of the GDPR.

Necessity

The processing of the personal data referred to above is necessary for the performance of your user agreement with us. If you do not provide us with the personal data referred to above, you will not be able to use our app.

Retention period

Until you withdraw your consent.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of any processing carried out prior to the withdrawal. Proof of your consent and your withdrawal will be retained for three years following your withdrawal.

You may object to the processing at any time – within the app (under More > Data Protection & Legal) or by email to datenschutz@pathmate.app (please use the email address you provided during registration).

5.3 System security and troubleshooting

Purposes

To ensure the security of the processing of personal data.

Types of data

  • Meta/communication data, e.g. duration and frequency of visits, device information, operating system, IP addresses, server log files.
  • Pseudonymised usage data to the extent necessary for technical fault analysis and to ensure system stability;
  • Communications with us via telephone, email, text messages (SMS, push notifications, etc.).

Legal basis

The legal basis for our processing of the above-mentioned data relating to you is our legitimate interest in providing a functional, secure and stable application in accordance with Article 6(1)(f) of the GDPR. Where data is processed that allows conclusions to be drawn about your health within the meaning of Article 9(1) of the GDPR, we base the processing on Article 6(1)(c) in conjunction with Article 9(2)(i) of the GDPR, in conjunction with § 22(1) no. 1(c) of the BDSG, in conjunction with Articles 61 and 83 of the MDR (ensuring high quality and safety standards for a medical device).

Retention period

Server log files are stored for 14 days; crash reports for 90 days.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Objection

You may object to the processing at any time in accordance with Article 21(1) of the GDPR by contacting us via the contact details provided above.

5.4 Improvement and further development of the app

Purposes

Improvement and further development of the app: The processing involves, in particular, the identification, classification and analysis of usage patterns, user needs and interests based on pseudonymised usage and behavioural data.

Types of data

Pseudonymised usage and behavioural data not relating to health.

Legal basis

The legal basis for our processing of the above-mentioned data relating to you is our legitimate interest in improving and further developing the app in accordance with Article 6(1)(f) of the GDPR. Insofar as the processing is necessary to ensure the usability, safety and performance of the app as a medical device, it is also carried out on the basis of our legal obligation pursuant to Article 6(1)(c) in conjunction with Article 9(2)(i) of the GDPR, in conjunction with § 22(1) no. 1(c) of the BDSG and Articles 61 and 83 of the MDR. In such cases, there is no right to object.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Objection

You may object to this processing at any time within the app (under More > Data Protection & Legal) or by emailing datenschutz@pathmate.app in accordance with Article 21 of the GDPR.

5.5 Use of the app’s core medical functions as a medical device

Purposes

Your use of the app’s core medical functions as a medical device.

Types of data

  • Relevant medical measurements relating to the supported indications, e.g. weight, blood pressure readings, blood glucose readings, HbA1c, sleep logs, well-being;
  • Information on illnesses/health problems, e.g. high blood pressure or type 2 diabetes
  • Medicines.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Legal basis

Your consent to the app’s terms of use pursuant to Article 6(1)(b) of the GDPR, in conjunction with your consent to the processing of health data relating to you for the purpose of performing the terms of use pursuant to Article 9(2)(a) of the GDPR.

Retention period

Until you withdraw your consent.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. Evidence of your consent and your withdrawal will be retained for three years following the date of your withdrawal.

You may object to the processing at any time – within the app (under More > Data Protection & Legal) or by email to datenschutz@pathmate.app (please use the email address you provided during registration).

5.6 Use of the app’s advanced medical features as a medical device

Purposes

Your use of the app’s advanced medical features as a medical device by linking our app to Google Fit/Health Connect (Android) and/or Apple Health (iOS).

Types of data

  • Health data (e.g. blood pressure, heart rate, sleep) from Google Fit/Google Health (Android), Apple Health (iOS), Withings or Omron Connect
  • Activity data (e.g. steps) from Google Fit/Health Connect (Android), Apple Health (iOS), Fitbit, Withings, Garmin Connect or Polar Flow

Legal basis

Your consent to the processing of health data relating to you for the purpose of using the app’s advanced medical functions as a medical device in accordance with Article 6(1)(b) of the GDPR in conjunction with Article 9(2)(a) of the GDPR.

You can enable the connection to these services within the app and disable it at any time in the settings.

Retention period

Until you withdraw your consent.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of the processing carried out prior to the withdrawal. Evidence of your consent and your withdrawal will be retained for three years following the date of your withdrawal.

5.7 Importing health data from Thryve

Purposes

Thryve is a provider of single-access to health monitoring data. This includes, for example, devices from manufacturers such as Garmin, Fitbit, Polar, Withings and Omron, as well as sensors in your mobile phone or smartwatch. In particular, we have entered into data processing agreements with Thryve that meet the requirements of Article 28 of the GDPR, and we provide Thryve with instructions on how to handle the data. Through careful selection and regular monitoring, we ensure that our service providers take all organisational and technical measures necessary to protect your data.

Types of data

Once you have given your explicit consent to share your data, which is processed by your device manufacturer, we receive a key from mHealth Pioneers GmbH to uniquely link this data to your profile. You can determine the scope of the data yourself, depending on the manufacturer.

Legal basis

Your explicit consent to the import of your data from Thryve into the Manoa app in accordance with Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR.

Retention period

Until you withdraw your consent.

Recipients

Thryve is operated by mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of any processing carried out prior to the withdrawal. Proof of your consent and your withdrawal will be retained for three years following the date of your withdrawal.

You can enable the connection to these services in the app and disable it at any time in the settings.

5.8 Sharing a PDF report with doctors

Purposes

In the app, you can create a PDF report containing your health data (in particular blood pressure readings) and share it with your doctor for 48 hours. To do this, enter your name and generate an access code; with this code, the report can be viewed for 48 hours via the portal www.visite.manoa.app and downloaded from. Use of this feature is voluntary and takes place at your own initiative.

Types of data

The PDF report you generate (in particular blood pressure readings and other health data from the app), the name you enter, and the access code generated.

Legal basis

The creation and temporary provision of the report are carried out at your request and on the basis of your explicit consent in accordance with Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR.

Recipients

Access to the report is granted exclusively to those who receive the access code from you (usually your doctor). The portal www.visite.manoa.app – like the app – is operated within the European Union by our data processor, gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne. No data is transferred to a third country in this context.

Retention period

The shared PDF report is available for 48 hours and is then automatically deleted; the access code expires. If a code has expired, you can generate a new one in the app.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. You can also terminate an existing authorisation by allowing the access code to expire.

5.9 Support via the User Help Desk

Purposes

Processing your support enquiries.

Legal basis

The legal basis for our processing of the aforementioned data relating to you is our legitimate interest in providing a functional, secure and stable application and in responding to support enquiries from our users to ensure user satisfaction in accordance with Article 6(1)(f) of the GDPR. Insofar as data is processed in this context that allows conclusions to be drawn about your health within the meaning of Article 9(1) of the GDPR, we base the processing on Article 6(1)(c) in conjunction with Article 9(2)(i) of the GDPR, in conjunction with § 22(1) no. 1(c) of the BDSG, in conjunction with Articles 61 and 83 of the MDR (ensuring high quality and safety standards for a medical device).

Recipients

Zammad GmbH, Marienstraße 18, 10117 Berlin, acting as a data processor for the operation of our ticketing system for our user help desk.

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Retention period

For 36 months following the end of processing.

Objection

You may object to the processing at any time in accordance with Article 21(1) of the GDPR by contacting us via the contact details provided above.

5.10 Receipt of push notifications

Purposes

Sending push notifications to your device.

Types of data

  • Device token ID,
  • App ID,
  • Device identifier of your device,
  • Metadata,
  • Content of push notifications.

Legal basis

Your explicit consent to receive push notifications via the Manoa app in accordance with Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR. Access to information on your device (push token) is carried out in accordance with Section 25(1) of the TDDDG on the basis of your consent.

Recipients

If you use a device running an Apple operating system, Apple Distribution International Limited, Hollyhill Industrial Estate, Cork, T23 YK84, Ireland, is the recipient of the above-mentioned data. Further information on Apple’s data protection policy can be found here: https://www.apple.com/privacy/.

If you use a device running a Google operating system, Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland, is the recipient of the data mentioned above. Further information on Google Firebase’s data protection policy can be found here: https://www.google.com/policies/privacy/.

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of any processing carried out prior to the withdrawal. Evidence of your consent and your withdrawal will be retained for three years following the date of your withdrawal.

All notifications and access options can be enabled or disabled retrospectively in your smartphone’s settings menu.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

5.11 Payment processing for self-paying users

Purposes

To process and manage your purchases and to handle payments within the app.

Legal basis

Our legal basis for processing the data relating to you set out below is your contract of sale with us in accordance with Article 6(1)(b) of the GDPR. The retention of invoice and billing data is based on our legal obligation pursuant to Article 6(1)(c) of the GDPR in conjunction with Section 147 of the German Fiscal Code (AO). Insofar as this involves data that allows conclusions to be drawn about your health, we base the processing on Article 6(1)(b) of the GDPR (your contract of sale with us) in conjunction with Article 9(2)(a) of the GDPR (your explicit consent to the processing of your health data for the performance of your contract of sale with us) in conjunction with § 22(1) no. 1(c) of the Federal Data Protection Act (BDSG); separate consent is not required for this.

Types of data

The following data is processed for the purpose of handling and managing your purchases and for payment processing within the app: user master data, goods or services purchased, payment data, invoicing data.

The following data is transmitted to our payment service provider, RevenueCat, Inc.:

  • Your IP address
  • a randomly generated user ID
  • Confirmation as to whether the purchase was completed or cancelled
  • Region of the smartphone user account

Necessity

The processing of the above-mentioned data relating to you is necessary for the completion of your purchase. If you do not provide this data, we will be unable to sell you any goods or services via our app.

Recipients

RevenueCat, Inc., 1032 E Brandon Blvd #3003 Brandon, FL 33511, USA.

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Transfer to third countries

The data relating to you mentioned above is transferred to RevenueCat, Inc., in the USA – a third country – on the basis of standard contractual clauses in accordance with Article 46 of the GDPR.

Retention period

Eight years in accordance with Section 147 of the German Fiscal Code (AO).

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of the processing carried out prior to the withdrawal. Proof of your consent and your withdrawal will be retained for three years following the withdrawal.

5.12 Disclosure for the purposes of scientific research

Purposes

To enable scientific research by universities and research institutions using health data processed via our app.

Types of data

The disclosure for scientific purposes relates primarily to the following data (non-exhaustive list):

  • Relevant medical readings relating to the supported conditions, e.g. weight, blood pressure readings, blood glucose readings, HbA1c, sleep logs, well-being;
  • Information on illnesses/health problems, e.g. high blood pressure or type 2 diabetes
  • Activity data such as number of steps and active minutes per day;
  • Medicines.

Legal basis

The disclosure of data is differentiated according to the recipient group and purpose, each having its own legal basis.

The anonymisation of your data for transfer to research institutes and universities for the purposes of scientific research within the meaning of Article 89(1) of the GDPR is carried out on the basis of our legitimate interest in facilitating scientific research in accordance with Article 6(1)(f) in conjunction with Article 9(2)(j) of the GDPR in conjunction with Section 27 of the Federal Data Protection Act (BDSG). A prerequisite is that the research adheres to methodological and scientific standards, is in the public interest, and that appropriate safeguards are in place to protect your rights and freedoms (see Recital 159 of the GDPR).

The transfer of pseudonymised health data to research institutions and universities for the purposes of scientific research within the meaning of Article 89(1) of the GDPR is carried out on the basis of our legitimate interest in facilitating scientific research in accordance with Article 6(1)(f) in conjunction with Article 9(2)(j) of the GDPR in conjunction with Section 27 of the Federal Data Protection Act (BDSG). A prerequisite is that the research adheres to methodological and scientific standards, is in the public interest, and that appropriate safeguards are in place to protect your rights and freedoms (see Recital 159 of the GDPR).

Recipients

Universities and research institutions.

Objection

You may object to the processing at any time in accordance with Article 21 of the GDPR – within the app (under More > Data Protection & Legal) or by email to datenschutz@pathmate.app (please use the email address you provided during registration).

5.13 Links to other organisations

If you have received an access code for the app from a company (e.g. your health insurance provider) that enables you to use the app, we may transfer further personal data to that company (for example, to enable the validity of an existing insurance policy to be checked or to enable the programme costs to be settled via the insurance provider). This transfer may also relate to health data. You will be informed of this in advance and we will seek your consent on the basis of Article 9(2)(a) of the GDPR. Billing is carried out either via your insurance provider on the basis of a cooperation agreement or – in the case of self-payment – via the relevant app store (see Section 5.11 ‘Payment processing for self-payers’). Billing and invoicing data are stored in accordance with statutory retention obligations (in particular Section 147 of the German Fiscal Code (AO)). Where billing takes place within the framework of programmes run by German health insurance funds, Pathmate Technologies AG remains the data controller for the processing of your user data; Pathmate Technologies GmbH handles the contractual relationship and billing with the health insurance fund and is itself the data controller for this commercial processing.

5.14 Health advice as part of Manoa Plus

Purposes

Manoa Plus is an enhanced version of the app offered by certain health insurance providers. Users of Manoa Plus can take advantage of a telephone consultation lasting approximately 20 minutes with a Pathmate health adviser to set personal goals and clarify any outstanding questions. Use of this service is voluntary.

Types of data

Appointment booking details (name or pseudonym, telephone number, selected time slot), the information you provide during the call – including health data – and any notes taken during the call.

Legal basis

Appointments are arranged and conducted to fulfil the Manoa Plus user agreement (Article 6(1)(b) of the GDPR); we process the health data provided during the consultation and the notes taken on the basis of your explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR).

Recipients

The consultation is conducted by telephone by Pathmate staff who are bound by a duty of confidentiality.

For appointment management, we enter your name/pseudonym and time slot into Google Calendar, which is operated by our data processor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on the basis of a data processing agreement in accordance with Article 28 of the GDPR.

Transfers to third countries

The data transferred to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is transferred to the USA – a third country with an adequacy decision pursuant to Article 45 of the GDPR – on the basis of the EU-US Data Privacy Framework.

Retention period

Appointment details are deleted as soon as they are no longer required for the organisation of the consultation; notes from consultations are deleted after twelve months, unless you request their deletion beforehand or withdraw your consent.

Withdrawal of your consent

You have the right to withdraw your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of any processing carried out prior to the withdrawal. Evidence of your consent and your withdrawal will be retained for three years following the date of your withdrawal.

5.15 Expert seminars (for members of certain health insurance funds)

Purposes

We offer certain users who are insured with a partner health insurance provider the opportunity to take part in interactive online expert seminars. You can access these via a link in the app or by email. Participation is voluntary.

Types of data

Your affiliation with the relevant health insurance provider, your email address or in-app display name, and – for the purposes of participation – your display name, email address (if applicable), IP address and technical connection data; and – as the seminars are interactive – your video, audio and chat contributions, including any health data disclosed in the process.

Legal basis

The provision and delivery of the seminars take place within the scope of the services offered by your health insurance provider (Article 6(1)(b) of the GDPR); your participation is voluntary (Article 6(1)(a) of the GDPR). Insofar as you disclose health data during the seminar, the processing of such data is based on your explicit consent (Article 9(2)(a) of the GDPR).

Recipients

For the seminars, we use the video conferencing service Google Meet, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on the basis of a data processing agreement in accordance with Article 28 of the GDPR.

Other recipients include the expert speakers and, as the seminars are interactive, other participants may be able to see your display name, as well as your comments and chat messages.

Only anonymous, aggregated attendance figures, without any personal references, are transmitted to the health insurance provider.

Transfers to third countries

The data transferred to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is transferred to the USA – a third country with an adequacy decision pursuant to Article 45 of the GDPR – on the basis of the EU-US Data Privacy Framework.

Retention period

Invitation and participation data will be deleted after six months at the latest.

The seminars are not recorded.

5.16 Service channel – supplementary services provided in connection with use

Purposes

For users who have gained access to Manoa via their health insurance, we display information in the so-called ‘Service Channel’ about supplementary, programme-related services in the context of using Manoa (e.g. the option to take part in supplementary nutritional counselling).

Types of data

Your affiliation with the relevant health insurance provider, as well as general usage data (excluding health data) to select the services relevant to you.

Legal basis

We display these programme-related offers to you on the basis of our legitimate interest in providing relevant information within the scope of your programme (Article 6(1)(f) of the GDPR); we do not use any health data for this selection.

The offers are displayed exclusively by Pathmate; your personal data is not transferred to third parties or your insurance provider in this process. You can disable the display of these offers in the service channel within the app at any time.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Retention period

Until you object to the processing.

Objection

You may object to the processing at any time – within the app (under More > Data Protection & Legal) or by email to datenschutz@pathmate.app (Art. 21 GDPR; in the case of direct marketing, without restriction pursuant to Art. 21(2) GDPR).

5.17 Post-market clinical follow-up (PMCF) in accordance with the MDR

Purposes

As a manufacturer of a medical device, Pathmate is legally obliged under Article 61 and Annex XIV, Part B of Regulation (EU) 2017/745 (MDR) to continuously conduct clinical evaluation of the Manoa app after it has been placed on the market. This so-called Post-Market Clinical Follow-up (PMCF) serves to ensure the safety, performance and risk-benefit balance of the medical device throughout its entire product lifecycle.

The clinical follow-up serves the following specific purposes:

  • To confirm the clinical safety and performance of the Manoa app under routine conditions
  • Early identification of previously unknown side effects, risks or contraindications
  • Review of the benefit-risk profile for the authorised indications
  • Identification of misuse or inappropriate use (off-label use)
  • Updating the clinical evaluation in accordance with Article 61 of the MDR and the technical documentation
  • Preparation of periodic safety update reports (PSURs, in accordance with Article 86 of the MDR)

Types of data

Within the framework of PMCF, only the data required for clinical follow-up is processed. Directly collected personal data such as name or email address is not required for PMCF analyses and is expressly not used. In principle, we process:

  • Pseudonymised usage and interaction data (app usage, adherence, drop-out rates)
  • Pseudonymised medical history data (e.g. blood pressure readings, HbA1c, weight trends) in the context of the respective indication
  • Pseudonymised basic demographic data (age in age groups, gender, approximate region)
  • Reports of incidents, side effects or adverse events
  • Patient-reported outcome measures (PROMs) and satisfaction data, insofar as these are collected via the app
  • User feedback on safety and performance-related aspects

Data processed for PMCF purposes is pseudonymised prior to analysis. The key used for re-identification is kept separate both technically and organisationally and is accessible only to a strictly limited group of authorised persons. Re-identification takes place only to the extent required by law (e.g. in the case of reporting obligations under the MDR following a serious incident as defined in Article 87 of the MDR).

Where processing on an aggregated or anonymised basis is sufficient for the respective PMCF purpose, the data is anonymised immediately after analysis. The principles of data minimisation (Article 5(1)(c) of the GDPR) and privacy by design (Article 25 of the GDPR) are strictly observed.

Legal basis

The legal basis for this processing is our statutory obligation to carry out clinical follow-up as the manufacturer of the Manoa app, which is a medical device, in accordance with Article 6(1)(c) in conjunction with Article 9(2)(i) of the GDPR in conjunction with § 22(1) no. 1(c) of the BDSG in conjunction with Articles 61(11), 83 and 86 and Annex XIV, Part B of the MDR.

Retention period

Pseudonymised PMCF raw data is retained for the duration of the product authorisation plus ten years following the placing on the market of the last unit, in accordance with Article 10(8) of the MDR.

Reports of serious incidents are stored as part of the technical documentation for ten years in accordance with Section 14 of the Medical Devices Operator Regulation (MPBetreibV) in conjunction with Article 10(8) of the MDR.

Recipients

Recipients of pseudonymised or anonymised PMCF data may include:

  • The specialist departments responsible for clinical evaluation at Pathmate Technologies AG (Medical Affairs, Regulatory Affairs)
  • Appointed external clinical investigators and Clinical Research Organisations (CROs) acting as data processors in accordance with Article 28 of the GDPR
  • Notified Body in the context of conformity assessment – exclusively aggregated or anonymised data
  • Regulatory authorities (BfArM; EUDAMED) in the case of reporting obligations under Article 87 et seq. of the MDR
  • Scientific institutions for ongoing evaluations – exclusively anonymised or strictly pseudonymised

5.18 Surveys with users for product optimisation

Purposes

Product optimisation of our app.

Types of data

  • Information regarding suggestions for improvement, bugs or malfunctions, and additional features
  • Your usage data

Legal basis

Our legal basis for contacting you to invite you to take part in a feedback session or complete a feedback form is Article 6(1)(f) of the GDPR. Our legitimate interest lies in the continuous improvement of the usability, quality and safety of our product through direct feedback from practical use, as well as in fulfilling our obligations as a medical device manufacturer to carry out ongoing product evaluation.

Where health data is collected as part of the survey, we obtain separate consent for this in accordance with Article 6(1)(a) of the GDPR in conjunction with Article 9(2)(a) of the GDPR. Necessity

Retention period

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected.

Recipients

Our data processor for hosting services is gridscale GmbH, Oskar-Jäger-Str. 173, 50825 Cologne.

The technical development and operation of the Manoa app is carried out by Pathmate Technologies GmbH as our data processor.

Objection

You may object to the processing at any time in accordance with Article 21(1) of the GDPR by contacting us via the contact details provided above.