Privacy Policy for the headacy Website and App

This privacy policy applies to the processing of personal data by tame GmbH, Mainzer Strasse 20, 10247 Berlin, registered in the Commercial Register of the Berlin (Charlottenburg) Local Court under HRB 283771 (“Controller”, “headacy”, “we” or “us”) when using the headacy app (“App”) and when visiting our Website “https://www.headacy.com/” (“Website”).

headacy offers users an App, which provides user-focused content and digital features designed to support a mindful and balanced approach to managing migraine in everyday life and to promote personal well-being. The scope of the features included in the App depends on whether the user is using the free or paid version (the latter: “Subscription”).

The use of our App and visits to our Website involve certain processing of your personal data. Personal data is any information relating to an identified or identifiable natural person, e.g. name, address, email address. We process data that you provide to us voluntarily, as well as data that we collect from you when you use the App and visit our Website.

When processing your personal data, we comply with the applicable data protection laws, in particular the European General Data Protection Regulation (“GDPR”) and the Federal Data Protection Act (“BDSG”).

The purpose of this privacy policy is to inform you about which personal data we process, for what purposes and on what legal basis.

Name and contact details of the data Controller

The Controller responsible for the processing of your data is

tame GmbH, Mainzer Strasse 20, 10247 Berlin, registered with the Commercial Register of the Local Court Berlin Charlottenburg under HRB 283771.

Contact: support@headacy.com

Collection and storage of personal data, as well as the nature and purpose of its processing, the relevant legal basis and the storage period

Downloading of the App

When you download our App, the information required for the download is transmitted to the App store you have accessed, specifically your username, email address and customer number for your account, the time of the download, payment details and the unique device identifier. We have no influence over this data collection and are not responsible for it. We process the data only to the extent necessary for downloading the App to your mobile device.

Use of our App and Website

When you use our Website and our App, we automatically collect and store data that your browser transmits to our server (so-called server log files), whereby logging takes place only to the extent technically necessary.

The following information is collected:

Operating system and information about the internet browser used, including any installed add-ons;
IP address (Internet Protocol address) of the device from which the online service is accessed;
Internet address of the Website from which the online service was accessed (so-called source or referrer URL);
Name of the service provider through which access to the online service is made;
Name of the files or information accessed;
Date and time, as well as the duration of the visit.

The legal basis for the collection of this data is Article 6(1)(f) GDPR. Our legitimate interest in collecting this data arises from the following purposes:

Ensuring optimal use of our Website and App,
Ensuring a smooth connection is established;
Evaluating system security and stability.

Creating an account

Signing in with Apple and Google

You have the option to register in our App using the Apple and Google sign-in features. This saves you time during registration. When you sign in with your Apple or Google ID, depending on your selection, either the email address and/or name you have stored with Apple or Google, or a one-off email address generated by Apple, will be sent to us. In this case, Apple or Google receives the information that you are a user of our App.

The legal basis for integrating the Apple or Google sign-in feature into our App is Article 6(1)(f) GDPR. By using the sign-in feature, we are pursuing the legitimate interest of offering you a quick and easy way to register. The sign-in feature is therefore in both our and your interest.

Registration with an email address

In addition, you can register directly in our App by entering your email address and a password. To confirm the email address you have provided, we use a double opt-in procedure. This means that, following your registration, we will send an email to the address you provided, asking you to confirm your email address. As part of the registration process, you may voluntarily provide a name for your profile.

We process your email address, password and name in order to fulfil the user agreement concluded with you regarding the use of our App. The legal basis for this data processing is Article 6(1)(b) GDPR.

Retention period

We will delete the data collected and stored in connection with the creation of your account once you delete your account. If your account is inactive, we will delete your data after 24 months at the latest. However, early deletion of your personal data is not possible if and to the extent that your data is still required to process a Subscription via our App.

Irrespective of the foregoing, we store your data when you conclude a Subscription until the expiry of the statutory or any contractual warranty rights. After this period has expired, we retain the information relating to the Subscription required under commercial and tax law for the periods specified by law. During this period (usually ten years from the conclusion of the contract), the data will be processed solely in the event of an audit by the tax authorities.

If you provide us with your explicit consent, we will send you information about our offers by email. For this purpose, we process your name and email address. To subscribe to our newsletter, we use a double opt-in procedure.

The newsletter is sent on the basis of your explicit consent in accordance with Art. 6(1)(a) GDPR.

Processing of special categories of personal data (health data)

As part of the use of the App, we process special categories of personal data within the meaning of Art. 9(1) GDPR, in particular health data. This may include, in particular, information on migraine episodes and symptoms, medication, well-being, lifestyle and health factors, menstruation- and reproduction-related information, as well as other related or otherwise shared health information.

To provide the App

The processing of this data, based on your explicit consent, is necessary to provide the functions of the App in connection with the collection, storage, display and evaluation of your data. In particular, the aforementioned health data is processed to enable you to use the App in a structured manner, to display personal histories, and to provide related analyses, insights and other support features within the App.

The processing is carried out on the basis of your explicit consent in accordance with Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

You may withdraw your consent at any time with effect for the future in the App settings or by contacting support@headacy.com. The withdrawal does not affect the lawfulness of processing carried out before it.

Please note that without the processing of the relevant health data, the provision of the App may be impossible in whole or in part.

To improve the App and the App’s functionality

With your explicit consent, we also process the aforementioned data in order to continuously improve the functions of the App and the information provided, and to better support users in managing migraines in the future. This includes, in particular, optimizing the user experience, improving existing analysis and support systems, and developing new features. Where possible, such processing is carried out in anonymized or pseudonymized form.

The processing is carried out on the basis of your explicit consent in accordance with Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

Refusal or withdrawal of this consent has no adverse effect on the provision of the App and its functions.

Optimisation of the App and Website

Strictly Necessary (essential) Cookies

On our Website and, in particular, in our App, we use cookies that are stored temporarily in the working memory (“session cookies”) or permanently on your hard drive (“permanent cookies”). Cookies are small text files that are automatically created by your browser and stored on your device (laptop, tablet, smartphone, etc.) when you visit our Website. These files enable us to make the Website more efficient. Most of the cookies we use are so-called session cookies, which are stored only in temporary memory and not on your hard drive. Their validity expires when you close your internet browser, and they are therefore automatically deleted. Session cookies enable us to recognize that you have already visited individual pages of our website or that you are already logged into your account. Other cookies remain on the device you are using, so that you are recognised on your next visit.

Most browsers accept cookies automatically. However, you can set your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is set. Please note, however, that in this case you may not be able to use all the functions of the Website or App to their full extent.

The activation of cookies is necessary for the Website to function properly. We therefore have a legitimate interest in their use. The legal basis for the associated data processing is therefore Article 6(1)(f) GDPR.

We use the following non-essential cookies:

Adjust

We use the software of Adjust GmbH, Saarbrücker Str. 37a, 10405 Berlin, Germany (“Adjust”) on the basis of your consent in accordance with Art. 6(1)(a) GDPR. Using this tool, data is collected and stored from which usage profiles are created using pseudonyms. These usage profiles are used to analyze user behavior and evaluate marketing measures and are assessed in order to improve our services. Cookies may be used for this purpose, which enable the recognition of users. The pseudonymized usage profiles are not combined with personal data relating to the holder of the pseudonym without separate explicit consent.

When using Adjust, the transfer of personal data to third countries, in particular to the USA, cannot be excluded. For data transfers to third countries, appropriate safeguards are provided in the form of Standard Contractual Clauses of the European Commission in accordance with Art. 46 GDPR in order to ensure an adequate level of data protection.

Further information can be found in Adjust’s privacy policy: https://www.adjust.com/terms/privacy-policy/.

Meta Pixel

We use the Meta Pixel of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta Pixel”) on the basis of your consent in accordance with Art. 6(1)(a) GDPR. The Meta Pixel enables us to track user behavior after users have been redirected to our website by clicking on an advertisement on Facebook or Instagram. This allows us to evaluate the effectiveness of our advertisements for statistical and market research purposes and to optimize our services. Cookies may be used for this purpose, which enable the recognition of users.

When using the Meta Pixel, personal data may be transferred to Meta Platforms, Inc. in the USA. Meta Platforms, Inc. is certified under the EU-U.S. Data Privacy Framework and is listed in the Data Privacy Framework list maintained by the U.S. Department of Commerce. An adequacy decision of the European Commission pursuant to Art. 45 GDPR therefore applies to data transfers to this recipient.

Further information can be found in Meta’s privacy policy: https://www.facebook.com/privacy/policy/.

Typeform

We use the software of Typeform SL, Vía Augusta 29-31, 08006 Barcelona, Spain (“Typeform”) on the basis of your consent in accordance with Art. 6(1)(a) GDPR. Using this tool, we can provide online forms, surveys and other input fields, as well as process and store the data entered by users. The processing serves to handle and evaluate the respective request, survey or data entry, as well as to improve our services. Cookies may be used for this purpose, which enable the recognition of users. When using Typeform, usage data may also be processed.

When using Typeform, data may be transferred to the USA. Typeform uses Standard Contractual Clauses of the European Commission in order to ensure an adequate level of data protection.

Further information can be found in Typeform’s privacy policy: https://www.typeform.com/privacy.

Matomo

We use the software Matomo (“Matomo”) on the basis of your consent in accordance with Art. 6(1)(a) GDPR. Matomo is operated exclusively on our own servers. Using this tool, data is collected and stored from which usage profiles are created using pseudonyms. These usage profiles are used to analyze user behavior and are evaluated in order to improve our services. Cookies may be used for this purpose, which enable the recognition of users. The pseudonymized usage profiles are not combined with personal data relating to the holder of the pseudonym without separate explicit consent.

In this context, no data is transferred to third parties or to third countries.

Firebase

We use the services of Google Firebase, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Firebase”), on the basis of your consent in accordance with Article 6(1)(a) GDPR. This tool enables us to collect and evaluate usage data and user interactions with our App and Website in order to analyse user behaviour and improve our offering in terms of both technology and content. Cookies may be used for this purpose, which enable the user to be recognised.

When using Firebase, personal data may be transferred to Google LLC in the USA. Google LLC is certified under the EU-US Data Privacy Framework and is listed in the Data Privacy Framework list maintained by the US Department of Commerce. An adequacy decision by the European Commission pursuant to Article 45 GDPR therefore applies to data transfers to this recipient.

Further information can be found in the privacy policies of Firebase and Google: https://firebase.google.com/support/privacy/.

Other recipients of personal data

For the processing of your personal data, we partially rely on the services of additional external service providers (e.g. IT providers, payment service providers). These service providers process your personal data only for the purposes set out in this privacy policy, on our behalf and in accordance with our instructions under a data processing agreement acc. to Art. 28 GDPR (this also applies to the providers referred to in Section 3.6).

Apple Health / Google Health

Our App enables integration with Apple Health (Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA) and Google Health or Google Fit (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) (“Apple Health/Google Health Integration”). Processing is carried out on the basis of Article 6(1)(b) GDPR, insofar as the integration is necessary to provide the functions you have requested within the App, and on the basis of Article 6(1)(a) GDPR, insofar as you have given us your consent to the processing of your health data.

As part of the integration, health and activity data (such as movement data, training data or other health information you have shared) may be retrieved from the respective services and processed within our App. The specific data processing depends on the permissions you have granted within the respective platform.

We do not, as a matter of principle, transfer data to Apple or Google; rather, we merely access the data you have shared within the respective interfaces. However, it cannot be ruled out that Apple or Google may process personal data independently as part of the use of their services.

Further information on data protection at Apple and Google is available at https://www.apple.com/legal/privacy/de/ and https://policies.google.com/privacy.

AppSignal

We use the services of AppSignal B.V., P.O. Box 10212, 1001 EE Amsterdam, Netherlands (“AppSignal”) in our App and on our Website. Processing is carried out on the basis of Article 6(1)(f) GDPR, insofar as it is necessary for monitoring the stability, error-free operation, performance and security of our App and Website, and on the basis of Article 6(1)(b) GDPR, insofar as the processing is necessary for the provision of our contractual services. In the course of using AppSignal, technical usage data, error logs, device information, IP addresses and other data necessary for the analysis and resolution of technical faults may be processed in particular. The transfer of personal data to recipients outside the European Union cannot be ruled out in this context. For any data transfers to third countries, appropriate safeguards, in particular the European Commission’s standard contractual clauses pursuant to Article 46 GDPR, are provided to ensure an adequate level of data protection.

Further information on data protection at AppSignal is available at https://www.appsignal.com/privacy-policy.

Calendly

We use the services of Calendly, LLC, 271 17th St NW, Atlanta, GA 30363, USA (“Calendly”). Processing is carried out on the basis of Article 6(1)(f) GDPR, insofar as it is necessary for efficient appointment scheduling and organisation, and on the basis of Article 6(1)(b) GDPR, insofar as the processing is necessary for the performance of pre-contractual measures or the provision of our contractual services. In the context of using Calendly, contact details (e.g. name, email address), appointment details, communication content and technical usage data may be processed in particular. The transfer of personal data to recipients outside the European Union, in particular to the USA, cannot be ruled out in this context. Any data transfers to third countries are carried out on the basis of Calendly’s certification under the EU-US Data Privacy Framework in accordance with Article 45 GDPR; in addition, appropriate safeguards, in particular the European Commission’s Standard Contractual Clauses in accordance with Article 46 GDPR, are provided to ensure an adequate level of data protection.

Further information on data protection at Calendly is available at https://calendly.com/privacy.

Machtfit

We offer the option to purchase and redeem voucher codes via the provider Machtfit GmbH, Monbijouplatz 5, 10178 Berlin, Germany (“Machtfit”). Processing is carried out on the basis of Article 6(1)(b) GDPR, insofar as it is necessary for the purchase and redemption of voucher codes and the performance of a contract with you. When using this service, the data required for processing, in particular order, billing and contact details, is transmitted to Machtfit and processed there. Where Machtfit acts as an independent Controller, processing is carried out under Machtfit’s own responsibility under data protection law.

Further information on data protection at Machtfit is available at https://www.machtfit.de/datenschutz/.

Mailjet

We use the services of Mailjet GmbH, Alt Moabit 2, 10557 Berlin, Germany (“Mailjet”) to send emails. Processing is carried out on the basis of Article 6(1)(b) GDPR, insofar as it is necessary for communication with you, for the implementation of pre-contractual measures or the performance of a contract with you, and on the basis of Article 6(1)(f) GDPR, insofar as the processing serves the efficient and secure handling of our email communication. When using Mailjet, contact details, communication data and the content of emails may be processed in particular. When using Mailjet, the transfer of personal data to third countries, in particular to the USA, cannot be ruled out. In this regard, Mailjet refers to appropriate safeguards for international data transfers. Depending on the recipient, standard contractual clauses or, where applicable, other permissible transfer mechanisms may be used. Further information on data protection at Mailjet is available at https://www.mailjet.com/de/rechtliches/datenschutzerklaerung/.

Mollie

We offer the option of processing payments outside the App stores via the payment service provider Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands (“Mollie”). Processing is carried out on the basis of Article 6(1)(b) GDPR, insofar as the processing is necessary for the execution of the payment transaction and the fulfilment of a contract with you, as well as on the basis of Article 6(1)(f) GDPR, insofar as the processing is necessary for the secure and efficient processing of payment transactions and to prevent payment defaults. As part of the payment processing, the data required to carry out the transaction is transmitted to Mollie, in particular order and payment details as well as contact details. As Mollie, in its capacity as a payment service provider, independently decides on certain processing activities within the scope of payment processing, Mollie may also act as an independent Controller in this respect. Further information on data protection at Mollie is available at https://www.mollie.com/de/legal/privacy.

Hetzner

We process the data we store on servers belonging to Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (“Hetzner”). Processing is carried out on the basis of Article 6(1)(f) GDPR, insofar as it is necessary for the provision and secure operation of our Website and App, and on the basis of Article 6(1)(b) GDPR, insofar as the processing is necessary for the implementation of pre-contractual measures or the performance of a contract with you. In doing so, we store both data that you yourself enter on our Website and in our App on Hetzner’s servers, as well as data that we automatically collect from you when you visit our Website and use our App. The data is stored on servers within the European Union, so that your personal data is not transferred to recipients outside the European Union. Further information on data protection at Hetzner can be found in Hetzner’s privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz.

IONOS

We process the data we store on servers belonging to IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (“IONOS”). Processing is carried out on the basis of Article 6(1)(f) GDPR, insofar as it is necessary for the provision and secure operation of our Website and App, and on the basis of Article 6(1)(b) GDPR, insofar as processing is necessary for the implementation of pre-contractual measures or the performance of a contract with you. In doing so, we store both data that you enter yourself on our Website and in our App, and data that we collect automatically from you when you visit our Website and use our App. The data is stored on servers within the European Union, so that your personal data is not transferred to recipients outside the European Union. Further information on data protection at IONOS is available at https://www.ionos.de/terms-gtc/datenschutzerklaerung/.

RevenueCat

We use the services of RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA (“RevenueCat”) in our App. Processing is carried out on the basis of Article 6(1)(b) GDPR, insofar as it is necessary for the provision, administration and billing of Subscriptions and other paid services, and on the basis of Article 6(1)(f) GDPR, insofar as the processing serves the technical administration, error analysis and optimisation of our billing processes. In the course of using RevenueCat, contact data as well as billing and contractual data may in particular be processed.

When using RevenueCat, the transfer of personal data to the USA cannot be ruled out. For data transfers to the USA, appropriate safeguards in the form of the European Commission’s standard contractual clauses pursuant to Article 46 GDPR are provided to ensure an adequate level of data protection.

Further information on data protection at RevenueCat is available at https://www.revenuecat.com/privacy/.

Transfer of data to third countries

Except in the cases mentioned in sections 3.6 and 4, we do not transfer your personal data to recipients in countries outside the European Union or the European Economic Area.

Data security

All data you submit personally is transmitted using the secure and proven SSL (Secure Socket Layer) standard, which is also used, for example, in online banking. We also employ appropriate technical and organisational security measures to protect stored personal data against manipulation, partial or complete loss, and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data is stored exclusively on servers hosted within the EU that are certified to DIN ISO/IEC 27001 (in its current version).

Your rights

With regard to our processing of your personal data, you are entitled to the following rights free of charge:

You have the right to obtain information from us as to whether and which data we process about you. This includes, amongst other things, details of how long and for what purpose we process the data, the source from which it originates, and to which recipients or categories of recipients we disclose it. You may also request a copy of this data from us.

You have the right to have us rectify any inaccurate information about you without delay. You may also request that we complete any incomplete personal data. Where required by law, we will also inform third parties of this rectification, provided we have disclosed your personal data to them.

You have the right to request that we erase your personal data without undue delay if any of the following applies:

Your data is no longer necessary for the purposes for which it was collected or otherwise processed, or the purpose has been achieved;
You withdraw your consent and there is no other legal basis for the processing;
You object to the processing and there are no overriding legitimate grounds for the processing; where personal data is used for direct marketing, a simple objection on your part to the processing is sufficient;
Your personal data has been processed unlawfully;
The erasure of your personal data is necessary to comply with a legal obligation under European Union law or the law of a Member State to which we are subject.

Your right to erasure may be restricted on the basis of statutory provisions. This includes, in particular, the restrictions set out in Article 17 GDPR and Section 35 of the BDSG.

You have the right to request that we restrict the processing of your personal data if one of the following grounds applies:

You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the personal data;
the processing is unlawful and you object to the erasure of the personal data and instead request the restriction of the use of your personal data;
we no longer need your personal data for the purposes of processing; however, you require it for the establishment, exercise or defence of legal claims; or
you have objected to the processing, pending verification of whether our legitimate grounds override yours.

If you have obtained a restriction of processing in accordance with the above list, we will inform you before the restriction is lifted.

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit this data to others. Exercising this right does not affect your right to erasure.

In particular, under Article 21 GDPR, you have the right to object at any time to the processing of your data on grounds relating to your particular situation, where we base such processing on legitimate interests pursuant to Article 6(1)(f) GDPR. If you object, we will no longer process your personal data, except in two cases:

we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
the processing is necessary for the establishment, exercise or defence of legal claims.

In particular, where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing purposes. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for that purpose.

You may withdraw any consent you have given to us at any time with effect for the future. This withdrawal may be made by sending an informal notification to the contact addresses listed above. If you withdraw your consent, it does not affect the lawfulness of the data processing carried out up to that point.

Right to lodge a complaint with the supervisory authority

If you believe that our processing of your data violates applicable data protection law, you have the right to lodge a complaint with one of the competent supervisory authorities. The supervisory authority responsible for us is:

Der Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61
10555 Berlin
Germany
Telephone: +49 30 13889-0
E-Mail: mailbox@datenschutz-berlin.de

You also have the right to lodge a complaint with a data protection supervisory authority competent for you regarding our processing of your personal data.

No automated decision-making, including profiling, within the meaning of Article 22 GDPR takes place.