PLEASE READ THIS POLICY CAREFULLY BEFORE USING ADA HEALTH GMBH SERVICES.

You must be 16 years or older to use our Services.

Protecting your data, privacy and personal data (as defined under Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”)) is very important to Ada Health GmbH (“us”, “our” or “we”). It is vitally important to us that our customers (the “users”) feel secure when using our products and services.

This privacy policy (the “Privacy Policy”), together with our Terms & Conditions at ada.com/terms-and-conditions, our Cookie Policy at ada.com/cookie-policy and any other documents referred therein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read this Privacy Policy carefully to understand the types of data we collect from you, how we use it, the circumstances under which we will share it with third parties, and your rights in relation to your personal data.

Our Website may contain links to third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.

You can use “Ada” through our mobile application (the “App”), or when and where available embedded in a partner platform (the “Enterprise Solution”), together the “Medical Device”). This Privacy Policy describes our data processing when using our Medical Device or simply accessing our website ada.com (the “Website”) or any service and/or product we may provide you (Website together with the Medical Device and any of our product and services, the “Services”). Where certain processing activities relate only to a specific product such as the App or the Enterprise solution, this will be clearly indicated.

1. Who we are

This Privacy Policy applies to any personal data processed by Ada Health GmbH (HRB 189710), Karl- Liebknecht-Straße 1, 10178 Berlin, Germany being the data controller (as defined under Article 4(7) GDPR) of all processing activities in connection with the Services.

Questions, comments and requests regarding this Privacy Policy are welcome and should be addressed through our contact form here. Our data protection officer can be contacted at [email protected].

2. General overview of the data processing in connection with the Services

Before starting using our Services, you should read our Privacy Policy carefully. In order to use our Symptom Assessment and other health related features, you have to consent to Ada analyzing the personal health data you voluntarily share in order to be provided with an assessment and health advice, for which you can find an information summary here.

This section 2 aims at giving you a quick high-level overview of the data processing activities in connection with the Services we provide you.

If you wish to read in detail all the data processing activities we undertake, we advise you to read the following section 3 relating to each specific data processing activity, and sections 4 to 9 that relate to:

Information that you provide to us: we may collect and process personal data that you will be asked to provide when you:

The information that we may ask you to provide includes, but is not limited to, your name, gender, date of birth, email address, phone number, symptoms of your illness, potential causes of your illness symptoms, health insurance (optional), medical history, any allergies you have, or further information required to verify your identity.

Information we collect about you: although we will not use it to identify you, we may collect the following data during each of your visits and use of our Services:

If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.

3. Which personal data we may collect and process, why and for how long

3.1 When you use our Website

3.2a When you register a user account or create a new profile in the App

3.2b When you use Ada through the Enterprise Solution

3.3 Health profile

3.4 Facebook Login / Apple Login

3.5 Symptom assessment

3.6 Partner options

3.7 Assessing your suitability for and inviting you to clinical research and referring you to health services for follow-up diagnostics

3.8 Use of health data for statistical and research purposes

3.9 Use of health data for public health purposes

3.10 Post-market surveillance and medical safety

3.11 Share limited information and increase Ada’s impact

3.12 Monitor usage to ensure proper use, functioning, maintenance and improvement of the Services and related emails

3.13 Direct marketing for our own similar products and services

3.14 Optimizing our marketing initiatives

3.15 Performance reports

3.16 Feedbacks / Surveys

3.17 Web-based Registration and Results Tool

3.18 Job application

4. Cookies and tracking on our Website

Our Website uses so-called “cookies”. Cookies are text files that are stored in the Internet browser or by the Internet browser on your device (computer, tablet, or phone). We use the term “cookies” to refer to all tools that collect data on our Website (e.g. IP addresses, place and time of the visit). Your data collected in this way is pseudonymized, and is not stored together with your other personal data. This processing is carried out on a legal basis and, where required by law, based on your consent.

For detailed information on the cookies we use, the purposes for which we use them and to manage your Cookie preferences, see our Cookie Policy.

5. Where do we store your personal data

The personal data that we collect from you is stored in the European Union on Cloud Servers of Amazon Web Services EMEA S.A.R.L. (“AWS”) with a business seat in Luxembourg and on the Cloud Servers of Google Commerce Limited ("GCL"), a company incorporated under the laws of Ireland, with its offices at Gordon House, Barrow Street, Dublin 4, Ireland. This data may, however, be processed by sub- processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement, as long as the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR , such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments.

Sensitive information between your browser and our Website is transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

6. Disclosure of your personal data

6.1 We use technical service providers to operate and maintain our Services, who act as our processors based on a data processing agreement. A full list of our third-party processors processing your personal data on our behalf and strictly according to section 3 above can be found here. Where we use Service providers who process personal data on our behalf outside the EEA (or “third countries”) we do so with the appropriate safeguards for your data subject rights.
To a limited extent, we do use service providers situated in the US. In its decision C-311/18 (Schrems II) CJEU the held the EU-US Privacy Shield is insufficient to safeguard your rights in the US and therefore invalid. Following this decision we have reached out to our US-based service providers and decided on alternative safeguards on a case by case basis in accordance with the guidance of European Data Protection Board.
Where we cannot provide these appropriate safeguards we ask for your specific consent before sharing your data.
More details on third country service providers and the measures taken to ensure your rights are detailed in the relevant sub-sections of section 3 above.

6.2 In addition, we do not transfer your personal data to third parties - with the exception, when applicable, of the purposes listed below

6.3 If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

6.4 If we or, substantially, all of our assets are acquired by a third party, personal data about our users will be one of the transferred assets.

6.5 If we are required on the basis of EU law or the law of a Member State to disclose or share your personal data.

6.6 We may disclose certain data to organizations involved in clinical trials and other types of research where you have explicitly authorized us to do so.

7. How long do we retain your personal data

We will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.

If your personal data is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principle. 

After the processing of your data is no longer necessary for the purposes outlined in section 3 or your account is deleted (see section 3.2) we will securely and separately store some of your data in accordance with statutory retention obligations applicable to us and reasonable business needs. 

We will retain accounting data in accordance with the commercial and tax law storage obligations of six or ten years (§ 147 German Tax Code, § 257 German Commercial Code).

We will retain Post-Market-Surveillance data (incl. health data) in accordance with our storage obligations according to the medical device law.

We will retain data (incl. health data) in relation to your use of our Services for three or ten years in accordance with our business needs for the purposes of establishing, exercising or defending against legal claims. 

If you were a user of the UK Doctor Chat services (which is no longer available since 23 March 2018), your consultation details may be retained by us for a period up to 10 years according to the UK Records Management Code of Practice Retention Schedule, or if otherwise required by Care Quality Commission (“CQC”).

If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely erased.

8. Your data subject’s rights

Under GDPR you have various rights in relation to your personal data (as listed below). All of these rights can be exercised by contacting us via our contact form, by selecting “Exercising My Data & Privacy Rights”.

Verification: in order to verify your request, we will take reasonable steps such as asking you to send us a confirmation from the email address associated with your account, so that we can verify that you are the owner of this email account. If there is no email address associated with your account, we may ask you for proof of ID.

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

9. Privacy information for California residents

If you are a California resident (as defined in the section 17014 of Title 18 of the California Code of Regulations), California law requires us to provide you with some additional information regarding your rights with respect to your “personal information” (as defined in the California Consumer Privacy Act (hereinafter the “CCPA”) that came into force on January 1st, 2020).

We did not during the preceding 12 months, do not currently, and will not in the future sell or transfer your personal data to third parties (and will never do it without providing a right to opt out).

We may transfer your personal data to third party processors in order to achieve the purposes of the processing listed in Section 3 above, but only with the third-party processors with whom we have a data protection agreement in place. A full list of our third-party processors can be found here.

CCPA provides Californian consumers the following rights (which does not interfere with GDPR):

In addition to the possibility to contact us through our contact form by selecting “Exercising My Data & Privacy Rights”, you can exercise any rights under CCPA or request further information regarding your rights by calling us through our hotline.

10. Privacy Information for Brazilian residents

If you are a Brazilian resident, Brazilian law requires us to provide you with some additional information regarding your rights with respect to your “personal information” (as defined in the “Lei Geral de Proteção de Dados” (hereinafter the “LGPD”) that came into force on September 18th, 2020).

To find out what categories of your personal information are processed and what are the purposes of, you can read the section 3 titled “Which personal data we may collect and process, why and for how long” within this document.

We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

10.1 Your Brazilian privacy rights

You have the right to:

You will never be discriminated against, or otherwise suffer any sort of detriment, if you exercise your rights.

10.2 How to file your request

You can file your express request to exercise your rights free from any charge, at any time, by using the contact details provided in this document (e.g. an email at [email protected]), or via your legal representative.

10.3 How and when we will respond to your request

We will strive to promptly respond to your requests.

In any case, should it be impossible for us to do so, we’ll make sure to communicate to you the factual or legal reasons that prevent us from immediately, or otherwise ever, complying with your requests. In cases where we are not processing your personal information, we will indicate to you the physical or legal person to whom you should address your requests, if we are in the position to do so.

In the event that you file an access or personal information processing confirmation request, please make sure that you specify whether you’d like your personal information to be delivered in electronic or printed form.

You will also need to let us know whether you want us to answer your request immediately, in which case we will answer in a simplified fashion, or if you need a complete disclosure instead.

In the latter case, we’ll respond within 15 days from the time of your request, providing you with all the information on the origin of your personal information, confirmation on whether or not records exist, any criteria used for the processing and the purposes of the processing, while safeguarding our commercial and industrial secrets.

In the event that you file a rectification, deletion, anonymization or personal information blocking request, we will make sure to immediately communicate your request to other parties with whom we have shared your personal information in order to enable such third parties to also comply with your request – except in cases where such communication is proven impossible or involves disproportionate effort on our side.

10.4 Transfer of personal information outside of Brazil permitted by the law

As Ada is based in Germany we only transfer your data including health related data to Germany to provide our services. In addition to that Ada uses third party services outlined in section 3 to transfer data to third countries.

We are allowed to transfer your personal information outside of the Brazilian territory in the following cases:

11. Privacy information for residents of Singapore

As a resident of Singapore, Ada guarantees your rights to information and correction according to Art. 21 and 22 of the Personal Data Protection Act (PDPA). Those rights apply in addition to your rights as data subject under the GDPR as explained in Sec. 8 above and can be exercised in the manner described there. Where you exercise both your GDPR and your PDPA rights simultaneously, Ada will guarantee those rights in addition to each other.

Regarding the legal basis for the processing of your personal data as explained in Sec. 3, please note that where the Use justification provided refers to the legal basis of necessity to perform a contract (Art. 6 I lit. a GDPR) this is considered to qualify as Deemed Consent according to Art. 15 PDPA. Where the Use justification provided refers to the legal basis of legitimate interest (Art. 6 I lit. f GDPR) this is considered to qualify as Deemed Consent by Notification according to Art. 15A PDPA with this privacy policy constituting the notice. Where the Use justification provided refers to the legal bases fulfilling a legal obligation (Art. 6 I lit. c GDPR) or processing for a public interest in the area of public health (Art. 9 lit. I GDPR) processing without your consent is required or authorised under the PDPA or any other written law. Where the description of the processing activity in Sec. 3 above specifies consent as the legal basis, this is considered to qualify as consent according to Sec. 14 PDPA. Please also see the table below:

Legal basis under GDPR as described in Sec. 3

Legal basis under PDPA

Performance of a contract, Art. 6 I lit. a GDPR

Deemed Consent according to Art. 15 PDPA

Legitimate interest, Art. 6 I lit. f GDPR, except Sec. 3.13.

Collection, use and disclosure without consent, Art. 17 (2), First Schedule Part 3 

Performance of a legal obligation (Art. 6 I lit. c GDPR); processing for a public interest in the area of public health, Art. 9 lit. I GDPR)

Consent not needed, Art. 13 (b) PDPA

Consent, Art. 6 I lit. a and Art. 9 II lit. a GDPR, Sec. 3.13.

Consent, Art. 14 PDPA

12. Changes to this policy

Any changes we make to our Privacy Policy in the future will be posted on this page, and where appropriate, notified to you by email, notifications via the App, or by any other available means. We therefore encourage you to review it from time to time to stay informed about the way we are processing your data.