Privacy Notice

Effective date: 30 June 2025

Below we inform you about the processing of personal data when using our website (www.aware.app) and the Aware Mobile App. Personal data refers to any information relating to an identified or identifiable natural person, such as your name, address, email address, or user behaviour. This privacy notice applies to the processing of personal data in accordance with the General Data Protection Regulation (GDPR) of the European Union, as well as the revised Swiss Federal Act on Data Protection (revDSG) and its corresponding ordinance (DSV).

For clarity, the terms and references used below are primarily those from the EU General Data Protection Regulation (GDPR). For individuals residing in Switzerland, these references apply accordingly under the revised Swiss Federal Act on Data Protection (revDSG) and its corresponding ordinance (DSV).

1. Controller and Role Distribution

The processing of personal data in connection with the Aware services is carried out by various entities, each with their own responsibilities:

Aware Health GmbH (hereinafter "Provider" or "Aware Health")

c/o Maschinenraum GmbH

Zionskirchstraße 73a

10119 Berlin

datenschutz@aware.app

Controller within the meaning of Art. 4 No. 7 GDPR for: 

  • Operation of the website
  • Operation of the Aware Mobile App (technical functions, hosting, user accounts)
  • Management of contractual relationships in regards to the website and app (e.g. payment processing, marketing, newsletters)
  • Receiving, storing, and displaying all laboratory results in the Aware App

Aware Heilpraktiker GmbH (hereinafter "AHP")

c/o Maschinenraum GmbH

Zionskirchstraße 73a

10119 Berlin

datenschutz@aware.app

Controller within the meaning of Art. 4 No. 7 GDPR for:

  • Performance of blood sampling at the Berlin location
  • Compliance with statutory medical documentation requirements for such sampling

The partners listed in section 3.2.3 are independent controllers for on-site blood sampling and its statutory documentation. They only receive those master data required to carry out the appointment and do not have access to subsequent laboratory findings.

1.1. Representative for Switzerland under revDSG

In accordance with Article 14 of the revised Swiss Federal Act on Data Protection (revDSG), Aware Health GmbH has appointed DataRep as its Data Protection Representative in Switzerland. This allows individuals in Switzerland to contact a local representative directly in their home country.

If you are located in Switzerland and wish to exercise your rights under the revDSG in relation to personal data processed by Aware Health GmbH, you may do so by:

Sending an email to datarequest@datarep.com

Submitting a request online via www.datarep.com/data-request

Sending a letter to:
DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland
(Please ensure the request is addressed to “DataRep” and not directly to Aware Health GmbH.)

More information about your rights under Swiss law can be found via the Swiss Federal Data Protection and Information Commissioner (FDPIC):

https://www.edoeb.admin.ch/edoeb/en/home/datenschutz.html

DataRep acts as the local point of contact for privacy-related matters under Swiss law on behalf of Aware Health GmbH. When submitting a request, it is essential that you include identification documentation to ensure your data is not disclosed to unauthorized third parties.

2. Data Protection Officer

If you have any questions regarding this privacy notice or the protection of your data by the Provider or AHP, you may contact the Provider’s Data Protection Officer at any time by email at dsb@kertos.io.

3. What data is processed for what purpose?

3.1. Website and the Aware Web App

3.1.1. General use of the website

When using the websites, the following technically necessary data are processed:

  • IP address of the device used
  • Date and time of access
  • Content accessed (visited page, files retrieved)
  • Amount of data transferred
  • Access status/HTTP status code
  • Browser type and version as well as the operating system you use
  • Language and version of browser software
  • Referrer URL
  • Requesting provider
  • Screen resolution

The processing of the described data is technically necessary in order to display the website to you and to ensure stability and security. The Provider also evaluates this information for statistical purposes.

For the hosting of the website, we use an external service provider, Webflow, Inc., 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter "Webflow"). Your personal data is transferred to Webflow for the purpose of hosting the website. Further information can be found in Webflow's privacy policy or you may contact us about the concluded DPA.

The legal basis is Art. 6(1)(f) GDPR. The legitimate interest lies in providing a functional and user-friendly website.

3.1.2. Technically necessary cookies

The Provider uses cookies that are essential for the operation and delivery of website functions, in order to make your use of this website secure and user-friendly. Only in this way can users navigate the websites and operate the modules or functions. Without these cookies, the use of the website may not be possible, or only to a limited extent. For certain functions, it is necessary that the browser is recognized again after a page change. 

The data collected with the help of these necessary cookies is not used for the creation of user profiles. The following data is stored and transmitted in the cookies: 

  • Current session ID
  • Usage of certain website content, such as frequency or scope of use
  • Acknowledgement of specific website content

Since websites have no memory, cookies inform the server which pages should be displayed to the visitor. This means visitors do not have to remember everything or navigate through the entire site again.

The technically and functionally necessary cookies used are mostly session cookies. The data stored therein is automatically deleted after your visit ends.

We use the following necessary persistent cookies:

Category Provider Cookie Type Expiry Reason
Necessary Cookiebot 1.gif Pixel Session Used to count the number of sessions to the website, necessary for optimizing CMP product delivery.
Necessary Cookiebot CookieConsent HTTP 1 year Stores the user's cookie consent state for the current domain
Necessary Google test_cookie HTTP 1 day n/a
Necessary cdn.jsdelivr.net object(#-#-##:#:#.#) HTML Persistent Holds the users timezone.
Necessary cdn.jsdelivr.net t3D HTML Persistent This cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.
Necessary cdn.jsdelivr.net tADe HTML Persistent
Necessary cdn.jsdelivr.net tADu HTML Persistent
Necessary cdn.jsdelivr.net tAE HTML Persistent
Necessary cdn.jsdelivr.net tC HTML Persistent
Necessary cdn.jsdelivr.net tMQ HTML Persistent
Necessary cdn.jsdelivr.net tPL HTML Persistent
Necessary cdn.jsdelivr.net tTDe HTML Persistent
Necessary cdn.jsdelivr.net tTDu HTML Persistent
Necessary cdn.jsdelivr.net tTE HTML Persistent
Necessary cdn.jsdelivr.net tTf HTML Persistent
Necessary www.aware.app tnsApp HTML Persistent
Necessary cdn.vidzflow.com __cf_bm HTTP 1 day This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
Necessary js.stripe.com __stripe_mid HTTP 7 days This cookie is required to load the stripe checkout form.
Necessary js.stripe.com __stripe_sid HTTP 7 days This cookie is required to load the stripe checkout form.
Necessary js.stripe.com cookie-perms HTTP 7 days This cookie is required to load the stripe checkout form.
Necessary js.stripe.com m HTTP 7 days This cookie is required to load the stripe checkout form.
Necessary js.stripe.com machine_identifier HTTP 7 days This cookie is required to load the stripe checkout form.
Necessary js.stripe.com private_machine_identifier HTTP 7 days This cookie is required to load the stripe checkout form.
Necessary js.stripe.com stripe.csrf HTTP 7 days This cookie is required to load the stripe checkout form.

The processing of data through technically and functionally necessary cookies is based on Art. 6(1)(f) GDPR to protect the legitimate interest in the error-free provision of the website, in conjunction with § 25(2) no. 2 TDDDG.

3.1.3. Optional cookies (statistics and marketing)

The operator also uses optional cookies. These cookies are only set if you have previously given your consent via the Cookie Consent Tool. The corresponding functions are activated only with your consent and may be used, for example, to analyze and improve the use of our website, to facilitate operation across different browsers or devices, to recognize you on a subsequent visit, or to display advertisements (potentially also to tailor advertising to your interests, measure the effectiveness of ads, or show you interest-based advertising). 

We use the following optional cookies for statistical purposes:

Category Provider Cookie Type Expiry Reason
Statistics Google td Pixel Session Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
Statistics Segment ajs_anonymous_id HTTP 1 year This cookie is used to identify a specific visitor - this information is used to identify the number of specific visitors on a website.
Statistics Segment ajs_anonymous_id HTML Persistent This cookie is used to count how many times a website has been visited by different visitors - this is done by assigning the visitor an ID, so the visitor does not get registered twice.
Marketing Meta Platforms _fbp HTTP 3 months Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
Marketing Meta Platforms lastExternalReferrer HTML Persistent Detects how the user reached the website by registering their last URL-address.
Marketing Meta Platforms lastExternalReferrerTime HTML Persistent Detects how the user reached the website by registering their last URL-address.
Marketing Google _gcl_au HTTP 3 months Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
Marketing Google IDE Pending
Marketing Google pagead/landing Pixel Session Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement - This also allows the website to limit the number of times that they are shown the same advertisement.
Marketing Google pagead/1p-user-list/# Pixel Session Pending
Marketing Segment __tld__ HTTP Session Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
Marketing Segment ajs_user_id HTTP Session This cookie is used to collect data on the visitor's behavior on the website - this information can be used to assign the visitor to a visitor segment, based on common preferences.
Marketing Segment ajs_user_id HTML Persistent Collects data on visitors' preferences and behaviour on the website - This information is used make content and advertisement more relevant to the specific visitor.
Marketing YoutTube LAST_RESULT_ENTRY_KEY HTTP Session Used to track user’s interaction with embedded content.
Marketing YoutTube LogsDatabaseV2:V#||LogsRequestsStore IndexedDB Persistent Pending
Marketing YoutTube remote_sid HTTP Session Necessary for the implementation and functionality of YouTube video-content on the website.
Marketing YoutTube ServiceWorkerLogsDatabase#SWHealthLog IndexedDB Persistent Necessary for the implementation and functionality of YouTube video-content on the website.
Marketing YoutTube TESTCOOKIESENABLED HTTP 1 day Used to track user’s interaction with embedded content.
Marketing YoutTube VISITOR_INFO1_LIVE HTTP 180 days Pending
Marketing YoutTube VISITOR_PRIVACY_METADATA HTTP 180 days Pending
Marketing YoutTube YSC HTTP Session Pending
Marketing YoutTube YtIdbMeta#databases IndexedDB Persistent Used to track user’s interaction with embedded content.
Marketing YoutTube yt-remote-cast-available HTML Session Stores the user's video player preferences using embedded YouTube video
Marketing YoutTube yt-remote-cast-installed HTML Session Stores the user's video player preferences using embedded YouTube video
Marketing YoutTube yt-remote-connected-devices HTML Persistent Stores the user's video player preferences using embedded YouTube video
Marketing YoutTube yt-remote-device-id HTML Persistent Stores the user's video player preferences using embedded YouTube video
Marketing YoutTube yt-remote-fast-check-period HTML Session Stores the user's video player preferences using embedded YouTube video
Marketing YoutTube yt-remote-session-app HTML Session Stores the user's video player preferences using embedded YouTube video
Marketing YoutTube yt-remote-session-name HTML Session Stores the user's video player preferences using embedded YouTube video
Marketing AWIN awc HTTP 30 days Used to track whether a user has accessed the website via an affiliate link in order to attribute commissions correctly. This cookie supports conversion tracking within affiliate marketing.

The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You may adjust your cookie settings at any time by visiting the “Cookie Consent” section at the bottom of the website. You may withdraw your previously given consent at any time with future effect.

3.1.3.1. Customer Match & Lookalike Audiences

If you have given your explicit consent, we may use personal data such as your email address or telephone number for the purpose of “Customer Match” (Google) and “Custom Audiences” (Meta) in order to display interest-based advertising to you on those platforms. In this context, your information is transferred to Google Ireland Ltd. or Meta Platforms Ireland Ltd., where it is matched against existing user profiles. The goal is to display targeted advertising to existing users or to reach similar audiences (so-called “Lookalike Audiences”).

This processing only takes place if:

  • you have previously provided us with your data (e.g. during registration or newsletter subscription), and
  • you have explicitly consented to the use of your data for marketing purposes.

The legal basis for this processing is your consent in accordance with Art. 6 (1)(a) GDPR. This data processing may also involve the transfer of data to a third country (e.g. the United States). In such cases, we rely on the adequacy decision of the European Commission pursuant to Art. 45 GDPR (EU-U.S. Data Privacy Framework), provided the respective provider is certified under the framework.

You can withdraw your consent at any time with effect for the future – either via our Cookie Consent Tool or by contacting us at datenschutz@aware.app.

3.1.4. Contacting Us

Our services enable you to contact the Provider, for example by sending an email. When you choose to contact us, the Provider processes your personal and contact details, such as:

  • First and last name
  • Address
  • Email address and telephone number

Depending on the circumstances, we may also process data comparable to the categories listed above.

The information you provide when contacting us is stored in order to process your inquiry and any subsequent correspondence. If your inquiry is related to a contract, we delete the data in accordance with the contract retention periods; otherwise, the data is deleted when storage is no longer necessary, or processing is restricted if statutory retention obligations apply.

The processing of the aforementioned data is carried out for the performance of pre-contractual measures or the fulfilment of a contract pursuant to Article 6(1)(b) GDPR. Processing may also be carried out based on the Provider’s legitimate interest in responding to your inquiry pursuant to Article 6(1)(f) GDPR. In the event of unlawful use of this website, these data may also serve to investigate potential legal violations.

Within the context of website/app communications, the Provider generally remains responsible. If you contact us with medical questions, your request may be forwarded to AHP.

3.1.5. Social Media Plugins

This website uses buttons (“plugins”) from various social networks (Instagram, Twitter, LinkedIn) through which you can access Aware’s pages (“fan pages”). These plugins provide features determined by the respective social network providers. By activating the social media buttons, you consent to the transfer of your data (excluding your app data) to the respective network. For social media providers based in the USA, a different data protection level may apply than in EU member states, including statutory access rights of authorities.

Please note that Aware is not the provider of these social networks and has no influence on data processing by the respective service providers. Further information on individual plugins can be found on the respective providers’ websites.

3.1.6. Product recommendation-questionnaire

When you complete our product recommendation questionnaire on the website, we process your contact details (in particular your email address; and your name, if applicable) and your answers in order to qualify your request, contact you at your request, and provide you with information about our offers. The service is provided by Lovable, and the data is then stored in a database in Germany/EU by our data processor Supabase. The data is stored in a database in Germany/EU by our processor Supabase. The legal basis is your consent in accordance with Art. 6(1)(a) GDPR; you can revoke this consent at any time with effect for the future. If you also subscribe to the newsletter in the questionnaire, section 4 of this privacy policy applies in addition.

3.1.7. Aware Web App

We offer you the opportunity to book individual tests or purchase a membership (“AwarePro Membership”) directly via our website. In doing so, you will create an account in order to access your results in the app. If you wish to book tests directly via our website, we process your personal data as follows:

  • First and last name
  • Email address
  • Account information
  • Payment information
  • Information regarding test bookings

This data is collected in order to enable you to use our testing and results services. You need an account to book appointments and securely access your test results.

The processing of the aforementioned data is carried out for the performance of a contract pursuant to Article 6(1)(b) GDPR.

The above-described processing activities are hosted by Vercel. Vercel Inc. is a hosting provider based in the USA. Accordingly, your personal data collected during your use of our website may be transferred to and stored on servers in the USA. For this purpose, we rely on the adequacy decision pursuant to Article 45 GDPR (Vercel Inc. is certified under the EU-US Data Privacy Framework).

As soon as you enter medical data (for example, in a questionnaire), Aware Health processes this data as an independent controller, as long as it is exclusively for appointment booking or displaying your results. The actual blood sampling is carried out under the sole responsibility of the blood sampling facility named in section 3.2.3.

3.1.7.1. Medical Data in Connection with a Booking
The Provider (Aware Health GmbH) transfers your appointment and master data as an independent controller to the blood sampling facility you have selected (see list 3.2.3). This facility processes the data exclusively for the purpose of identity verification, collection of the blood sample, and for fulfilment of statutory documentation requirements.

3.1.8. Recipients of Personal Data

In the context of using the website/web app, we use processors who receive the data necessary for the respective service:

Processor Location Service category Data protection safeguards for data transfers outside the EU/EEA (if applicable)
Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg Cloud services and web hosting n/a In case data is transferred to Amazon.com, Inc. (US):
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Webflow, Inc. 398 11th St., Floor 2, San Francisco, CA 94103 Website building and hosting, and forms In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Personio Group SE Seidlstraße 3, 80335 München, Germany Job applications n/a
Google Ireland Limited (Google Analytics and Google Tag Manager) Gordon House, Barrow Street, Dublin 4, Ireland Analytics & tracking n/a
Twilio Ireland Limited 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland Telecommunications services n/a In case data is transferred to Twilio Inc. (US):
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Adjust GmbH Saarbrücker Str. 37A 10405 Berlin, Germany Analytics  & tracking In case data is transferred to Adjust, Inc. (US): Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Mixpanel, Inc. Pier 1, Bay 2, the Embarcadero San Francisco, CA 94111 Analytics  & tracking n/a In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Meta Platforms Technologies Ireland Limited Merrion Road, Dublin 4, D04 X2K5, Ireland Analytics  & tracking In case data is transferred to
Meta Platforms, Inc. (US): Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Usercentrics GmbH Sendlinger Straße 7, 80331 München, Deutschland Cookie Consent tool n/a
Typeform S.L. Barcelona, Carrer de Bac de Roda, 163, Spain Forms n/a
HubSpot 25 First Street, Cambridge, MA 02141, United States CRM In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Vercel Inc. 440 N Barranca Ave #4133, Covina, CA 91723 Hosting-Provider (Web App) In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Awin AG Otto-Ostrowski-Straße 1A,10785 Berlin, Deutschland Affiliate-Marketing and Tracking n/a
Supabase, Inc. HQ: San Francisco, California, USA Product recommendation questionnaire data base hosting n/a (Hosting in Germany)

3.2. Use of the Aware App

3.2.1. Advertising Tracking on iOS

On iOS, you have several options to limit advertising and tracking in accordance with GDPR. Tracking is generally carried out via the so-called "Advertising Identifier" (IDFA), which is a unique, non-personalized, and non-permanent identification number assigned to a specific device by iOS. Data collected via the IDFA is not combined with other device-related information. We use the IDFA to provide you with personalized advertising and to analyze your usage. Within the iOS settings under "Privacy," you can largely deactivate advertising analysis under "Tracking." If you enable the "Allow apps to request to track" feature, our app will ask for your consent to advertising activities the first time you use it, allowing you to enable or disable advertising. Additionally, under "Privacy," you can select "Apple Advertising" to disable "Personalized Ads." In the "Analytics & Improvements" section, you may also disable "Share iPhone Analytics" and "Improve Siri & Dictation," preventing statistical information about your iOS usage from being transmitted to Apple. Please note that restricting the use of the IDFA may limit some functionalities of our app.

The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR. You may change your cookie preferences at any time via the "Cookie Consent" section at the bottom of the website and withdraw your consent at any time with future effect.

3.2.2. Registration / User Account

In order to book services available via the Aware App, it is necessary to create a user account. This requires the processing of the following basic data:

  • First and last name
  • Telephone/mobile number
  • Email address

The processing of this data is necessary for the performance of the user contract according to the terms and conditions provided during registration. The legal basis is therefore the contract pursuant to Article 6(1)(b) GDPR.

3.2.3. Booking and Management of Appointments

When you book a service (e.g., blood test) via the app, the following data is processed:

  • Gender
  • Date of birth
  • Type of service
  • Date and location of the service
  • Basic data of the data subject
  • Health data of the data subject, such as (previous) illnesses, blood type, health status, medical information related to the results of the service (especially findings from examinations). For this purpose, we use the third-party tool Simpleprax.
  • Payment data

  • The data is automatically transmitted to the blood collection site you have selected (see below), which is independently responsible for collecting the sample.
  • The laboratory transmits the test results exclusively to the provider (Aware Health GmbH), which displays them in your user account.
  • The display of results in the Aware App is carried out under the responsibility of Aware Health GmbH.

The provider uses the data for appointment bookings and makes it available to an Aware partner (see below) for this purpose and for the execution of the appointment (e.g., blood collection). During sample collection, additional appointment-specific details may be processed by the Aware partner. If the booked service includes blood collection, the sample, together with the aforementioned information, is sent by the Aware partner to a contract laboratory commissioned by the provider for analysis. The blood collection site never has access to the subsequent laboratory results.

The necessary personal and health data are transmitted accordingly to our partners listed below:

  • Amsterdam (NLD): QUALEVITA NEDERLAND B.V., Van Baerlestraat 132, 1071 BD Amsterdam
  • Augsburg (DEU): Naturopath Claudia Rothenfusser, Maximilianstraße 19, 86150 Augsburg
  • Berlin (DEU): Aware Heilpraktiker GmbH, Zionskirchstraße 73A, 10119 Berlin
  • Berlin (DEU): dm-Market Berlin, Tauentzienstraße 2-3, 10789 Berlin
  • Berlin (DEU): Naturopath Betty Timpe, Marburger Straße 3, 10789 Berlin
  • Berlin (DEU): New Soul GmbH, Wilmersdorfer Str. 60, 10627 Berlin
  • Bochum (DEU): Longevity Medical Bochum, Bongardstrasse 2, 44787 Bochum
  • Bonn (DEU): Practice for medicine & aesthetics, Adenauerallee 23, 53113 Bonn
  • Cologne (DEU): Palmklinik GmbH, Sachsenring 29-31, 50667 Cologne
  • Dortmund (DEU): Naturopath Agata Vogel, Berliner Straße 44, 44143 Dortmund
  • Dresden (DEU): Ästhetik in Dresden GmbH, Postplatz 6, 01067 Dresden
  • Duisburg (DEU): Naturopath Jörg Prädel, Kardinal-Galen-Straße 20
, 47051 Duisburg
  • Düsseldorf (DEU): Naturopath Petra Freter, Wasserstraße 2, 40213 Düsseldorf
  • Essen (DEU): Coolbox GmbH, Rüttenscheider Straße 16, 45128 Essen
  • Frankfurt (DEU): Eterno Health GmbH, Bockenheimer Landstraße 33-35, 60325 Frankfurt am Main
  • Frankfurt (DEU): Magna Med Group, Opernplatz 14, 60313 Frankfurt am Main
  • Freiburg (DEU): Dr. Petar Hundeshagen, Karlsruher Straße 52, 79108 Freiburg im Breisgau
  • Hamburg (DEU): adameve Medical GmbH, Mühlenkamp 6, 22303 Hamburg
  • Hamburg (DEU): Eterno Hamburg GmbH, Bleichenbrücke 10, 20354 Hamburg
  • Hannover (DEU): youthconnection GmbH, Ernst-August-Platz 10, 30159 Hannover
  • Karlsruhe (DEU): dm-Market Karlsruhe, Kaiserstraße 146, 76133 Karlsruhe
  • Kiel (DEU): Naturopath Thomas Bücking-Selenz, Schaßstraße 17, 24103 Kiel
  • Leipzig (DEU): Dr. Jenny Koch, Gohliser Straße 16, 04105 Leipzig
  • Lübeck (DEU): Dr. Marc Stracke, Meesenring 1, 23566 Lübeck
  • Mannheim (DEU): Naturopath Sandra Bennette, Gotenstraße 13, 68259 Mannheim
  • Mönchengladbach (DEU): Dr. Ranjith Elam, Steinmetzstraße 47, 41061 Mönchengladbach
  • Munich (DEU): Magna Med GmbH, Bayerstraße 21, 80335 Munich
  • Munich (DEU): Naturopath Julian Seitz, Augustenstraße 47, 80333 Munich
  • Nuremberg (DEU): Naturopath Elke Rühl, Kleinreuther Weg 87, 90408 Nuremberg
  • Potsdum (DEU): Forvigor, Gutenbergstraße 1, 14467 Potsdam
  • Regensburg (DEU): General Practice Dr. Janßen, Isarstraße 2, 93057 Regensburg
  • Stuttgart (DEU): Naturopath Evelyn Marras, Nadlerstraße 10, 70173 Stuttgart
  • Tegernsee (DEU): MedVital GmbH & Co. KG, Perronstraße 7-9, 83684 Tegernsee
  • Ulm (DEU): Naturopath Anastasios Sitaridis, Donaustraße 10, 89073 Ulm
  • Vienna (AUT): IVme GmbH, Habsburgergasse 5/5A, 1010 Vienna
  • Wiesbaden (DEU): Dr. Anastasia Silvani, Ellenbogengasse 2, 65183 Wiesbaden

Each service provider listed above is solely responsible for data protection regarding sample collection and mandatory documentation (Section 630f of the German Civil Code / HeilprG).

The contract laboratory is MDI Labor Limbach Berlin GmbH (Aroser Allee 84, 13407 Berlin).

The laboratory then transmits the test results to the provider, which makes them available to the ordering person in their respective user account via the Aware App. The results are visible only to you. Before you can access them in the app, you must identify yourself using a code. The data remains accessible in the Aware App until you delete it or withdraw your consent.

For more information on data protection, please contact the respective cooperation partner.

Legal bases: - Booking & appointment: Article 6(1)(b) GDPR. - Blood collection (health data): Article 9(2)(h) GDPR in conjunction with Section 22(1)(b) BDSG under the sole responsibility of the blood collection site. - Receipt and display of laboratory results by Aware Health: Article 9(2)(a) GDPR (your explicit consent).

3.2.4. Secondary Use for Research Purposes

If you have provided your explicit consent, we use the results of the services you have requested in pseudonymized form for the purposes of studies and statistical analyses. This processing and subsequent anonymization are based on your consent pursuant to Article 9(2)(a) GDPR. Your personal data, including health data, will be pseudonymized in such a way that re-identification is excluded to the greatest extent possible.

3.2.5. Use of Your Photos

If you grant the Aware App access to your photo libraries, the provider will only use these data to provide the desired functions and services, such as uploading photos to the app or displaying them in a preview. We do not collect personal data from your photos and do not transfer any of your photos to third parties. Your data is treated confidentially and used exclusively for the purposes for which you have provided it to us.

The legal basis for processing is Article 6(1)(b) GDPR; in the case of health data, your consent under Article 9(2)(a) GDPR in conjunction with Article 6(1)(b) GDPR.

3.2.6. User Profiles

For the purposes of analyzing usage, tailoring the service to demand, and error detection, we create user profiles if you consent to this when using the mobile app. These data are not merged with other personal data.

The legal basis is your consent pursuant to Article 6(1)(a) GDPR.

3.2.7. User Surveys ("User Research")

If you provide your consent, we may conduct user research interviews with you. The aim is to assess your satisfaction with our app, our services, and the mediated health checks. For this, we process your personal data stored in our app (in particular your contact details for communication and information about used services) as well as personal data (including health data) disclosed during interviews. You will be informed about the purposes of processing the data collected in the interview or questionnaire as part of the user research request. Personal data (including health data). When you participate in interviews or user research, we inform you of the purposes for which we process the personal data (including health data) collected during the interview or questionnaire in accordance with GDPR requirements.

The processing of your data is based on your explicit consent pursuant to Article 6(1)(a) and Article 9(2)(a) GDPR.

3.2.8. Uploading Existing Laboratory Results

If you upload existing laboratory results (such as PDF files) to the Aware App, these documents are processed exclusively for the purpose of secure evaluation and storage within your user account. For this purpose, we transmit the uploaded documents to our partner Open Health Technologies B.V., which processes the data within the European Union.

Open Health acts as a data processor and a data processing agreement (DPA) has been established to ensure compliance with the GDPR.

The data contained within the uploaded documents, which may include personal and health-related data, is securely stored and is accessible only to you and authorized Aware personnel, as necessary for technical or support purposes.

You may delete uploaded documents at any time via the app or request their deletion by contacting our support team. However, deletion is not possible while the documents are under "analysis" status. Deletion is only possible once results have been successfully provided or if an error occurs during processing. During the processing phase (approximately 24 hours), the uploaded file is locked and cannot be deleted.

The legal basis for processing and transferring these documents is your explicit consent in accordance with Article 9(2)(a) GDPR and, where necessary for the functionality of the app and the user agreement, Article 6(1)(b) GDPR.

3.2.9. Health Questionnaire

During the Health Questionnaire at registration, we collect and process various categories of personal data to provide you with personalized health information and recommendations. This data includes: 

  • Physical information: This includes data such as your weight, height, and other physical characteristics. 
  • Dietary habits: We collect information about your nutrition, including dietary preferences and eating patterns. 
  • Physical activity: We request data regarding your physical activity, including frequency and type of activities. 
  • Medical conditions: We collect information about existing or previous medical conditions to obtain a comprehensive health profile. 
  • Substance use: This includes information regarding your use of alcohol, tobacco, or other substances. 
  • Emotional states: We collect information about your emotional well-being, such as stress levels or general mood. 

This sensitive health data is processed in accordance with Article 9 GDPR and is used solely for the defined purposes of analyzing and improving your individual health profile. Processing is based on your consent, which you may withdraw at any time with effect for the future. 

Please note that providing this information is voluntary. Without it, we cannot offer you personalized health services. 

3.2.10. Marketing Communications via Email and Push (Brevo, Wonderpush)

Where you give us your separate consent for marketing emails and/or for push notifications, we will use Brevo (for email) and Wonderpush (for push) to send you marketing communications and to tailor the content of such communications to your interests. You can opt in per channel (email and/or push). This is not required for the performance of the contract. We do not use health data for marketing or personalization unless you have given a separate explicit consent for that purpose.

For delivery only, we process the minimum technical data necessary (e.g., email address for emails; device push token, language, notification opt‑in state for push). For personalization within the channel you have consented to, we may process “user attributes” (e.g., name, language, country/region) and “events” arising from your use of our services (e.g., add to cart, purchase completed, appointment booked/cancelled). We do not use special categories of data (Art. 9 GDPR), in particular medical/health data or inferences thereon, for marketing communications unless you have explicitly consented to this separately.

Processing for marketing delivery and personalization is based on your consent (Art. 6(1)(a) GDPR). Where storing information on, or accessing information from, your device is required for non-essential purposes (e.g., SDK-based tracking/personalization), we rely on your consent pursuant to Section 25(1) TDDDG. You can withdraw consent at any time with effect for the future via the app settings or by contacting us.

For email delivery and personalization, we use Brevo (Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin; and/or Sendinblue SAS, France) as our processor. For push delivery and personalization, we use Wonderpush (Wonderpush SAS, France) as our processor. Processing generally takes place within the EU/EEA. If, in exceptional cases, personal data are transferred to a third country, we ensure appropriate safeguards pursuant to Art. 46 GDPR (e.g., Standard Contractual Clauses) or rely on an adequacy decision (Art. 45 GDPR), as applicable.

We process and store marketing/personalization data only as long as the respective channel consent (email and/or push) remains in force. If you withdraw consent for a channel, we will (i) stop further collection and use for that channel without undue delay and (ii) delete or irreversibly anonymize previously stored personalization data and events for that channel in Brevo/Wonderpush within 30 days. For email, we keep your email address in a suppression list solely to ensure that you do not receive marketing emails after opting out; this is based on Art. 6(1)(c) and (f) GDPR in conjunction with Art. 21(3) GDPR and is stored in a minimized form (e.g., hashed with salt). If you withdraw push marketing consent, we delete the device push token. If you keep push consent but withdraw analytics/tracking consent, only the minimum technical data necessary for push delivery remain; all profiling/personalization data are deleted as described above.

Personalization of marketing communications under this section is tied to your channel consent (email and/or push). Any separate analytics consent you may grant (e.g., for app analytics via Firebase/Segment) remains independent and is not required for channel-specific marketing personalization; conversely, withdrawing the analytics consent does not affect the continued receipt of non‑personalized push/email if the channel consent remains active.

3.2.11. Recipients of Personal Data

In addition to the cooperation partners specifically named above, we also engage processors who receive the personal data necessary for the respective service (Other controllers: blood collection centers (see list 3.2.3) – independent controllers for sample collection; MDI Labor Limbach Berlin GmbH – independent controller for laboratory analysis).

Processor Adress/Country Service category Data protection safeguards for data transfers outside the EU/EEA (if applicable)
Twilio Ireland Limited 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland Telecommunications services n/a In case data is transferred to Twilio Inc. (US):
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Auth0 (Okta Inc.) 100 First Plaza San Francisco, California, United States Telecommunications services In case data is transferred to the US: Standard Contractual Clauses according to Art. 46 GDPR
Sendgrid (Twilio Ireland Limited) 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland Telecommunications services n/a In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Intercom, Inc. 55 2nd Street, 4th Fl., San Francisco, CA 94105, United States Telecommunications services In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Brevo (Sendinblue GmbH) Köpenicker Straße 126 10179 Berlin Telecommunications services n/a
Stripe Payments Europe, Limited (SPEL) 1 Grand Canal Street Lower, Ireland Payment service provider n/a In case data is transferred to Stripe, Inc. (US):
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Shore GmbH Ridlerstraße 31, 80339 München, Deutschland Payment service provider n/a
Mixpanel, Inc. Pier 1, Bay 2, the Embarcadero San Francisco, CA 94111 Analytics  & tracking n/a In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Adjust GmbH Saarbrücker Str. 37A 10405 Berlin, Germany Analytics  & tracking In case data is transferred to Adjust, Inc. (US): Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Meta Platforms Technologies Ireland Limited Merrion Road, Dublin 4, D04 X2K5, Ireland Analytics  & tracking In case data is transferred to
Meta Platforms, Inc. (US): Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Sentry (Functional Software, Inc. d/b/a Sentry) 45 Fremont Street, 8th Floor San Francisco, CA 94105 Error analysis In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg Cloud services and web hosting n/a In case data is transferred to Amazon.com, Inc. (US):
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Webflow, Inc. 398 11th St., Floor 2, San Francisco, CA 94103 Cloud services and web hosting In case data is transferred to the US:
Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Simpleprax UG Stieglitzgasse 24, 85551 Kirchheim bei München Medical history n/a
Zapier, Inc. 548 Market St. #62411. San Francisco, CA 94104-5401 Workflow Automation-Tool In case data is transferred to the US: Adequacy Decision according to Art. 45 GDPR (certified: EU-US Data Privacy Framework)
Awin AG Otto-Ostrowski-Straße 1A,10785 Berlin, Deutschland Affiliate-Marketing and Tracking n/a
Firebase (Google Ireland Limited) (Push notifications) Gordon House, Barrow Street, Dublin 4, Ireland Telecommunications services n/a
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland Mobile App Analytics (Firebase Analytics SDK) In the case of data transfers to the USA: Adequacy decision pursuant to Article 45 GDPR (certified: EU-U.S. Data Privacy Framework) and Standard Contractual Clauses (SCCs).
WonderPush, Société par actions simplifiée (SAS) 19 avenue d’Italie, 75013 Paris, France Delivery and personalization of push notifications Generally none; standard contractual clauses or other safeguards pursuant to Art. 46 GDPR are used for any transfers.

4. Newsletter

We offer a newsletter to keep you regularly informed about new developments, offers, and recommendations. The newsletter also contains advertising. You will receive the newsletter if you register directly via the newsletter form on our website or if you consent to receiving it during the account creation process. In this context, we process the personal data you provide (in particular your name and email address).

This processing is based on your consent in accordance with Art. 6(1)(a) GDPR.

Description of Data Processing and Purpose

We process your personal data (e.g., salutation, first name, last name, email address) for the purpose of contacting you via email or newsletter with marketing information about our products and services, provided you have given us your express consent. If consent is given, we may also process information about your interaction with our marketing emails, such as whether you received or opened the messages, which links you clicked, and the extent to which the emails were read (newsletter tracking).

Legal Basis for Data Processing

Processing is based on your consent (Art. 6(1)(a) GDPR). Consent is voluntary and can be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing performed before withdrawal. To withdraw consent, please use the unsubscribe link in our emails/newsletter, or contact us via support@aware.app.

Recipients

In the context of providing our services, your personal data may be transferred to the following recipients for the purposes outlined in this Privacy Policy:

Brevo (Sendinblue SAS)
106 boulevard Haussmann, 75008 Paris, France
More information: https://www.brevo.com/legal/privacypolicy/
Brevo acts as our processor for email communications and newsletter management and processes personal data exclusively on our behalf and in accordance with our instructions.

Wonderpush (Wonderpush SAS)
19 rue Michel Lecomte, 75003 Paris, France
More information: https://www.wonderpush.com/privacy-policy/
Wonderpush acts as our processor for the delivery of push notifications and related communication services.

Storage Period

Your data will be stored as long as necessary for the stated purposes or until you withdraw your consent. After this, the data will be deleted, unless another legal basis exists (e.g., legal obligations).

Data Processing in Third Countries

Data processing may also take place in countries outside the EU/EEA ("third countries"), such as USA or Canada. If an adequacy decision exists according to Art. 45 GDPR for the third country, processing will occur on this basis. Otherwise, standard contractual clauses (Art. 46(2)(c) GDPR) and, if necessary, additional measures are used to ensure an adequate level of data protection. Please note there may be risks regarding access by local authorities or limited legal remedies in non-EU countries.

5. International Transfers of Personal Data

When personal data are transferred to countries outside the European Economic Area, we only transfer them to third countries for which the European Commission has confirmed an adequate level of protection, or where we can ensure the careful handling of personal data through contractual agreements (Standard Contractual Clauses) or other appropriate safeguards, such as certifications or demonstrated compliance with international security standards. You may request information about this from us.

6. Automated Decision-Making

Data from your visit to this website or the use of the Aware App are not used for automated decision-making within the meaning of Art. 22 GDPR.

7. Data Deletion

Unless otherwise stated, the provider deletes or anonymizes your personal data as soon as they are no longer necessary for the purposes for which they were processed.

Data in the Aware App are generally stored for the duration of the usage or contractual relationship.

Storage may be extended beyond the specified period in the event of (pending) legal disputes with you or other legal proceedings.

Third parties engaged by the provider will store your data in their systems as long as necessary in connection with the provision of services for us according to the respective assignment.

Legal requirements (e.g. under Sec. 257 HGB or Sec. 147 AO) regarding retention and deletion of personal data remain unaffected. When the legally prescribed retention period expires, personal data will be blocked or deleted unless further storage is required and a legal basis exists.

Blood collection sites and the laboratory independently retain their collection documentation for at least 10 years (Sec. 630f BGB); the provider has no influence over this.

8. Your Rights

With respect to the provider (regarding website, app account, marketing, newsletter or other non-medical data):

  – Right of access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent.

With respect to the blood collection facility you have chosen (regarding blood sampling data or its documentation):

  – Right of access, rectification, erasure (within the framework of statutory retention periods), restriction of processing, data portability, objection.

With respect to MDI Labor Limbach Berlin GmbH, if you wish to exercise your right of access to raw laboratory results directly there.

Please contact datenschutz@aware.app at any time if you have any questions. If your request concerns data processing by a blood collection facility or the laboratory, we will promptly forward your inquiry or provide you with the relevant contact details.

Additional Information for Persons in Switzerland (revDSG)

Controller

Aware Health GmbH, Zionskirchstr. 73a, 10119 Berlin, datenschutz@aware.app

Purposes of Processing

Correspond to the purposes described in this privacy notice (operation of website/app, appointment booking, blood collection, laboratory analysis, marketing, etc.).

International Transfers

Your personal data may also be processed in countries outside Switzerland or the EU/EEA. We ensure an adequate level of protection in accordance with Art. 16 revDSG, e.g. through the Swiss-US Data Privacy Framework or standard contractual clauses (CH-SCC).

Your Rights under Art. 25 et seq. revDSG

• Access and data provision 

• Rectification 

• Deletion

• Right to object to processing.

To exercise your rights, simply send a message to datenschutz@aware.app.

Supervisory Authority

Swiss Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch.