Privacy policy for users of the TELUS Health Engage app

With this privacy policy, we inform you as a user of our TELUS Health Engage app about how we handle your personal data and about your rights under the European General Data Protection Regulation (GDPR) and the Bundesdatenschutzgesetz (BDSG). Responsible for the data processing is eTherapists GmbH (subsequently referred to as "we" or "us").

I. General Information

1. Contact
   
   If you have any questions or suggestions regarding this information or if you would like to exercise your rights, please contact us at:
   
   eTherapists GmbH
   Invalidenstraße 117, 10115 Berlin, Germany
   Email: dataprivacy.support@engage.telushealth.com
   
   
2. Legal basis
   
   The term "personal data" in data protection law refers to any information relating to an identified or identifiable natural person. We process personal data in compliance with the applicable data protection regulations, in particular the GDPR and the BDSG. We only process personal data on the basis of a legal permission. We process personal data only with your consent (Art. 6 para. 1 letter a GDPR), for the performance of a contract to which you are a party or for the performance of pre-contractual measures at your request (Art. 6 para. 1 letter b GDPR), to comply with a legal obligation (Art. 6 para. 1 letter c GDPR), or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data override (Art. 6 para. 1 letter f GDPR).
   
   
3. Duration of storage
   
   Unless otherwise stated in the following information, we will only store data for as long as is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law regulations. We will retain personal data that is contained in our accounting data for ten years from the end of the calendar year in which the data was collected, and personal data contained in commercial correspondence and contracts for six years. In other cases, we will keep data related to consent obligations and claims for the duration of the legal limitation periods. Data that we process on the basis of your consent will be deleted if you object to the processing for this purpose.
   
   
4. Categories of data recipients
   
   As part of the processing of your data, we use processors. Processing operations carried out by such processors include, for example, hosting, email delivery, maintenance and support of IT systems, customer and order management, order processing, accounting and invoicing, marketing measures, or document and data destruction. A processor is a natural or legal person, authority, agency or other body that processes personal data on behalf of the controller. Processors do not use the data for their own purposes, but carry out the data processing exclusively for us as the controllery and are contractually obliged to ensure appropriate technical and organizational measures for data protection. In addition, we may transmit your personal data to entities such as postal and delivery services, banks, tax consulting/auditing companies or tax authorities. Further recipients may result from the following information.
   
   
5. Data transfer to third countries
   
   Our data processing may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable. Such a transfer is permissible if the European Commission has determined that an adequate level of data protection is provided in such a third country. An adequacy decision applies to the following countries: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. For data transfers to the U.S., the adequacy decision applies to companies certified under the Privacy Framework and listed on this list (https://www.dataprivacyframework.gov/s/participant-search). If such an adequacy decision by the European Commission is not available, a transfer of personal data to a third country only takes place if suitable safeguards are provided in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met. Unless otherwise stated below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data to third countries. You have the option to receive or view these EU standard contractual clauses in a copy. Please contact the address provided under contact.
   
   If you consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Art. 49 para. 1 letter a GDPR.
   
   
6. Processing when exercising your rights
   
   When you exercise your rights under Art. 15 to 22 GDPR, we process the personal data transmitted to us for the purpose of implementing these rights and to be able to provide proof thereof. Data stored for the purpose of providing information and its preparation will only be processed for this purpose and for the purposes of data protection control, and in all other cases, processing will be restricted.
   
   These processing activities are based on the legal basis of Art. 6 para. 1 letter c GDPR i.V.m. Art. 15 bis 22 GDPR and § 34 para. 2 BDSG.
   
   
7. Your rights
   
   As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:
   
   
   • You have the right, in accordance with Art. 15 GDPR and § 34 BDSG, to request information as to whether and to what extent we process personal data concerning you or not. You can exercise your right to information within the app under "Account", "Manage Account", "Request Data".
   • You have the right, in accordance with Art. 16 GDPR, to request us to correct your data.
   • You have the right, in accordance with Art. 17 GDPR and§ 35 BDSG, to request us to delete your personal data. You can exercise your right to deletion within the app under "Account", "Manage Account", "Delete Account".
   • You have the right, in accordance with Art. 18 GDPR, to restrict the processing of your personal data.
   • You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another controller.
   • If you have given us separate consent for data processing, you can revoke this consent at any time in accordance with Art. 7 para. 3 GDPR. Such a revocation shall not affect the lawfulness of processing carried out on the basis of the consent before its revocation.
   • If you believe that the processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
   
   
   
8. Right to object
   
   According to Art. 21 para. 1 GDPR, you have the right to object to processing based on Art. 6 para. 1 letter e or f GDPR, for reasons arising from your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 para. 2 and para. 3 GDPR.
   
   
9. Data Protection Officer
   
   You can reach our Data Protection Officer at the following contact details:
   
   Email: datenschutz@engage.telushealth.com
   Herting Oberbeck Datenschutz GmbH
   Hallerstr. 76, 20146 Hamburg
   https://www.datenschutzkanzlei.de
   
   

II. Data processing when using TELUS Health Engage

1. Processing of personal data - overview
   
   Personal data are all information relating to an identified or identifiable person. This includes information that can directly identify you, such as your name or photo. In addition, there is information that can indirectly reveal information about you, such as information about your body, impairments or complaints, as well as information about your leisure activities or data that you provide during use to improve quality. Pseudonymous information, i.e. information disclosed without mentioning your name, also falls under personal data. In data protection law, the IP address is generally considered to be personal data. An IP address is assigned by the Internet provider to any device connected to the Internet so that it can send and receive data. Health data are personal information that directly or indirectly provides information about a person's health. This includes information about physical well-being/complaints, and information about mental/psychological health. Health data are considered special categories of personal data and are subject to a particularly high level of protection.
   
   When using TELUS Health Engage, we collect information that you provide yourself. In addition, certain information about your use is automatically collected by us. In the following, we describe in detail which data we process about you for what purposes.
   
   
2. Cookies
   
   We use cookies and similar technologies (‘cookies’) in our app. Cookies are small data records that are stored on your device when you use our app. The use of cookies is partly technically necessary for the operation of our app and is therefore permitted without your consent. In addition, we would like to use cookies to offer special functions and to analyse our app and its use. These may also include cookies from third-party providers (so-called third-party cookies). You can find more information on this in this privacy policy. We only use such technically unnecessary cookies with your consent in accordance with § 25 (1) TDDDG and, if applicable, Art. 6 (1) (a) GDPR. Information on the purposes, providers, and storage duration of individual cookies can be found in the following table:
   
   

   Cookie	Provider	Purpose	Storage duration
   Crashlytics	Google Ireland Limited (Ireland/EU)	Improve app quality - transfer of app crash logs	Until the app is reinstalled/deleted
   Google Analytics for Firebase	Google Ireland Limited (Ireland/EU)	Personalization - click tracking to adapt/personalize features and content	Until the app is reinstalled/deleted
   Clevertap	WizRocket Inc. (USA)	Personalization of communication & push notifications	Until the app is reinstalled/deleted

   You can change your cookie preferences at any time and revoke your consent. You can find the revocation option in the app under Menu >> Account >> Settings >> Personalization.
   
   
3. Downloading the app
   
   When downloading the app, certain required information is processed by the app store you have selected (Google Play or Apple App Store), including the username, email address, customer number of your account, the time of download, and the unique device number. The processing of this data is carried out exclusively by the provider of the respective app store and is beyond our control.
   
   
4. Registration and setting up a TELUS Health Engage app user account
   
   To use one of our TELUS Health Engage services, you must set up a TELUS Health Engage user account. For registration, we typically collect your email address, your password, and your IP address. The login data that you enter to use the TELUS Health Engage services is stored on European servers by eTherapists GmbH's service provider.
   
   You can decide how you want to register your user account during the registration process. We offer the following options for registering your user account:
   
   
   1. Setting up a user account with an email address
      
      Setting up a user account and using the TELUS Health Engage service is possible using an email address.
      
      
   2. Setting up a user account with a Google account
      
      If you use the option to log in via Google, your email address and first name will be transmitted to us from your Google account. We only use this data for the purpose of registration and login. In return, Google can recognize when and how you logged in to TELUS Health Engage through the log-in service. No information about your use of the content or services provided will be passed on.
      
      
   3. Setting up a user account with "Sign in with Apple"
      
      If you use the "Sign in with Apple" option, you can choose whether to transmit the email address associated with your Apple ID or a private relay address (alias) to us. The private relay address automatically forwards all emails from us to the email address associated with your Apple ID. Further information on "Sign in with Apple" can be found here: https://support.apple.com/de-de/HT210318. We do not share any of your usage data regarding the content provided or services rendered by TELUS Health Engage with Apple.
      
      The data processing is carried out to fulfill the service and is based on the legal basis of Art. 6 para. 1 letter b GDPR.
   
   
   
5. Data processing when using the app
   
   
   1. Automatic processing of personal data when using the app
      
      Automatic processing of personal data when using the app When you use our app, we collect the following data that is technically necessary for us to provide you with the functions of our app and to ensure stability and security:
      
      
      • IP address
      • Date and time of the request
      • Time zone difference to Coordinated Universal Time (UTC)
      • Content of the request (specific page)
      • Access status/HTTP status code
      • Amount of data transferred
      • User agent of the app
      • Operating system and its interface
      • Language and version of the app.
      
      
      The legal basis for the processing of this data is Art. 6 para. 1 letter f GDPR and it serves our legitimate interest in the security and stability of our app.
      
      The infrastructure will be operated on servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg/EU). AWS acts as a processor and may only process the data in accordance with our instructions. When using AWS, a transfer of your personal data to the USA cannot be ruled out. Please refer to the section "Transfer of data to third countries" for more information. In addition, we use the New Relic service of New Relic, Inc. (USA) to evaluate access and ensure data security, which processes the data exclusively as a processor. In this context, a transfer of data to the USA cannot be ruled out. Please refer to the section "Transfer of data to third countries" for more information.
      
      
   2. User profile and content data
      
      We process the data that you provide us in your user profile and the data that we collect and process when using the app. Your information in the user profile, such as weight, movement data or dietary habits (only if you voluntarily provide them to us), usage behavior and, under certain circumstances, also access rights to your smartphone (e.g. if you want to upload a profile photo). The data processing is carried out in order to provide you with our service and is based on the legal basis of Art. 6 para. 1 letter b GDPR.
      
      We store the user profiles and the data collected when using the app in CleverTap, a service provided by WizRocket Inc. (USA), which is contractually obliged as a processor to process the data exclusively in accordance with our instructions.
      
      Personalized Communication
      
      In CleverTap, we can analyze data in order to send push notifications based on user behavior and to customize the content of mailings. The data is only evaluated for this purpose and the personalized notifications are only sent if you have given your consent. The legal basis for this is Art. 6 Para. 1 Letter a of the GDPR. The legal basis for accessing your end device is § 25 Para. 1 TDDDG. You can revoke your consent at any time with effect for the future. You can find the cancellation option in the app under Menu >> Account >> Settings >> Personalization.
      
      Non-personalized Communication
      
      In CleverTap, we can send push notifications to you as a user to motivate you. An evaluation of your use does not take place for this purpose. The legal basis for displaying the notifications is our legitimate interest in accordance with Art. 6 para. 1 letter f GDPR in a clear user administration and a motivating address for our users.
      
      When using CleverTap, a transfer of data to the USA cannot be ruled out. See the section ‘Data transfer to third countries’.
      
      
   3. Health data
      
      When using our services, processing of health data under Art. 9 para. 1 GDPR cannot be ruled out. The processing is of this data is carried out to provide our services. The processing of health data is only carried out with your consent under Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR. The consent is voluntary. If you do not give your consent and do not provide us with health data, we cannot adapt the recommendations to your individual needs. There are no further disadvantages. You can revoke your consent at any time by navigating to the Account section in the app menu. Here you will find the Settings section, where you can revoke or change your consent.
      
      
   4. Anonymization
      
      We reserve the right to anonymize your personal data so that we can subsequently use it for evaluation and optimization purposes. Your data will be anonymized on the basis of the consent you gave us when you registered. The legal basis for this is Art. 6 (1) (a) GDPR in conjunction with Art. 9 (2) (a) GDPR. You can revoke your consent at any time by navigating to the Account section in the app via the menu. Here, in the Settings section, you will find where you can revoke or change your consent if possible. Please note that revoking your consent means that you will no longer be able to use our service. The use of our service is voluntary.
      
      
   5. Use of activity information from connected accounts and third parties
      
      You can import activity information from other platforms into your TELUS Health Engage app. You must expressly agree on these platforms that you want to link these platforms with your user account to import this data. You also have the option to determine which data should be imported. You can link the following providers/platforms to your TELUS Health Engage user account:
      
      Apple Health App
      
      With an Apple product iPhone, you can record activity and health data or import it from different apps into the Apple Health app. You must expressly agree to share this data with TELUS Health Engage or allow TELUS Health Engage to export data to Apple Health. You can adjust revoke the authorization at any time. The exchange will only take place with your consent in accordance with Art. 6 Para. 1 letter a DSGVO in conjunction with Art. 9 Para. 2 letter a DSGVO, which you give to Apple and which you can revoke at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR and can be revoked at any time.
      
      Google Fit App
      
      With an Android device smartphone, you can record activity and health data or import it from different apps into the Google Fit app. You must explicitly agree to share this data with TELUS Health Engage and allow TELUS Health Engage to export data to Google Fit. You must expressly agree to share this data with TELUS Health Engage or allow TELUS Health Engage to export data to Google Fit. You can revoke the authorization at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR. TELUS Health Engage's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. The app requests the following authorizations for the corresponding purpose:
      
      
      • Permission: Information about "Fitness Location"
        Purpose: To record your data for step, running, and cycling challenges. Your location will not be queried by us.
      • Permission: Information about "Fitness Activity"
        Purpose: This allows us to differentiate between different types of activity and to query the relevant data (steps, running, cycling, heart points) for challenges and training minutes of the "weekly progress" and use it.
      • Permission: Information about "Fitness Body"
        Purpose: This allows us to obtain information about your height and weight in order to display steps, distances, and your personal health statistics in your profile.
      
      You can change the authorization at any time. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR, which you give to Google and which you can revoke at any time.
      
      Thryve Health SDK
      
      Thryve, a service of mHealth Pioneers GmbH (Germany/EU), allows you to connect and import activity data from various sources, including manufacturers Garmin, Fitbit, Polar, Withings, Misfit, and others, as well as sensors from your mobile phone or smartwatch.
      
      After your explicit consent to share your data that is processed by your manufacturer or that should be queried from your mobile phone or smartwatch, we receive only a key from mHealth Pioneers GmbH for the unique assignment of this data to your profile. You can determine the extent of the data yourself depending on the manufacturer. We do not receive any further profile information, such as the email address of your user account used with the manufacturer of your fitness tracker. The exchange only takes place with your consent according to Art. 6 para. 1 letter a GDPR i.V.m. Art. 9 para. 2 letter a GDPR and can be revoked at any time within your account of your manufacturer's device at any time.
      
      
   6. Consultation with health experts and support
      
      The TELUS Health Engage service offers you the opportunity to contact one of our health experts or support staff via email. The use of consultation with health experts is voluntary. If you choose to use the service of an individual consultation with a health expert, they will be able to view the health data you have stored in the TELUS Health Engage service. When you use our customer support, our support staff may access data from your user account to assist you. Data processing is generally carried out to fulfill our services and is based on the legal basis of Art. 6 para. 1 letter b GDPR. For communication with our experts, we use the Freshdesk tool provided by Freshworks Inc. (USA). As a result, data transfer to the USA is not excluded. See the section "Data transfer to third countries" for more information.
      
      
   7. Transactional emails, notifications, and product updates
      
      We will send you regular emails about the features and updates of our product. We also send transactional and notification emails. This is not advertising, but information about your account or our product. In doing so, personal data such as your name and email address will be processed. We base the sending of these emails on our legitimate interest in providing information about existing and new services. The legal basis is Art. 6 para. 1 letter f GDPR. You can object to receiving these emails by unsubscribing using the link in the email. The emails are sent via the Sendgrid service of Twilio Inc. (USA). As a result, data transfer to the USA cannot be ruled out. Twilio has binding corporate rules that have been approved by the supervisory authority and ensure an adequate level of data protection.
      
      We also analyze the reading behavior and opening rates of our product updates. For this purpose, we collect and process pseudonymized usage data that we do not merge with your email address or IP address. The legal basis for analyzing our updates is 6 para. 1 letter f GDPR, and the processing serves our legitimate interest in optimizing our updates. You can object to this at any time by contacting us using the contact channels mentioned above.
      
      
   8. Personalization (Google Analytics for Firebase)
      
      We use the Google Analytics for Firebase service from the provider Google Ireland Limited (Ireland/EU) in our app. The Google Analytics for Firebase service is a feature of the Google Firebase development platform. Google Analytics is an analysis service that enables us to collect and analyze data on the behavior of users of our app in order to compile reports on activities within our app. In the process, personal data is processed in the form of online identifiers, IP addresses, device identifiers, and information on interactions with our app. For more information on data collection in Google Analytics, please visit: https://support.google.com/firebase/answer/6318039. The data is transmitted to Google Ireland. Google acts as a processor and may only process the data in accordance with our instructions.
      
      Some of this data may be information stored on your device. Additionally, Google Analytics may store additional information on your device. Such storage of information by Google Analytics or access to information already stored on your device is only done with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Art. 6 para. 1 letter a GDPR. The legal basis for access to your device is § 25 para. 1 TDDDG. You can revoke your consent at any time with effect for the future. The revocation option can be found in the app under Menu >> Account >> Settings >> Personalization.
      
      Google Analytics stores certain data associated with an advertising ID for 60 days and retains aggregated reporting without automatic expiration. The retention of user-level data, including conversions, is set to up to 14 months. For all other event data, the retention is set to 2 months. Data transfer to the USA is not excluded. Please refer to the section "Data transfer to third countries".
      
      
   9. Quality Improvements (Firebase Crashlytics)
      
      In our app, we use the Firebase Crashlytics service provided by Google Ireland Limited (Ireland/EU). Firebase Crashlytics is a function of the Google Firebase development platform, which is a crash reporting service that helps us improve the stability and reliability of our app. To do this, various data is collected and summarized in crash reports and sent to us. The data is transmitted to Google Ireland. Google acts as a processor and may only process the data in accordance with our instructions.
      
      Some of this data may be information that is stored on your device. Access to information that is already stored on your device will only be done with your consent. The legal basis for accessing the device is § 25 para. 1 TDDDG. If personal data is processed, the legal basis in this case is Art. 6 para. 1 letter a GDPR.
      
      Crash reports are only sent with your explicit consent. If you are using an iOS app, you can give your consent in the app settings or after a crash. In Android apps, there is the option to generally agree to the transfer of crash notifications to Google and app developers during the setup of the mobile device.
      
      You can revoke your consent at any time with effect for the future. The revocation option can be found in the app under Menu >> Account >> Settings >> Quality Improvement.
      
      This data is stored for a maximum of 90 days. Data transfer to the USA is not excluded. See the section "Data transfer to third countries" for more information.
      
      
   
   
   
6. Further data processing within the TELUS Health Engage app
   
   
   1. 1-on-1 Video Coaching
      
      You have the option to book a video conference with a professional coach. This requires access to the camera and microphone. Data processing only occurs when you use this feature, and it is necessary to fulfill our services, based on the legal basis of Art. 6 para. 1 letter b GDPR. The infrastructure will be operated on servers of Amazon Web Services EMEA SARL (AWS) (Luxembourg/EU). AWS acts as a processor and may only process the data in accordance with our instructions. When using AWS, a transfer of your personal data to the USA cannot be ruled out. Please refer to the section "Transfer of data to third countries" for more information.
      
      
7. Communication via email, phone, etc.
   
   When you contact us (e.g., via email or phone), the information of the requester, such as first name, last name, address, telephone number, email address, and the content of your message, is processed to handle the contact request and its processing in accordance with Art. 6 para. 1 letter b GDPR. This is done in order to communicate with you, such as by answering your questions, processing orders, or providing you with the desired information. For our internal communication, we use Google Workspace provided by Google Ireland Limited (Ireland/EU). As a result, data transfer to the USA is not excluded. See the section "Data transfer to third countries" for more information.
   
   
8. Anonymisation and sharing with companies, insurers, and health insurance funds
   
   We work with companies, insurers, and health insurance funds (TELUS Health Engage ID issuers) who want to provide you as their employees or you as member (policy holder)s with the TELUS Health Engage app to improve their health. As an employee or member, you are free to register with us. Employees or members are free to register with us. Using your professional email address when registering for the app is not required. Your professional email may only be necessary when requesting your TELUS Health Engage ID.
   
   Personal data will not be disclosed to companies, insurers, or health insurance funds. The data is evaluated solely in an anonymized form and, if necessary, used to create a completely anonymous health report for your TELUS Health Engage ID issuer., provided they enable you to use our service and you choose to use this option. Anonymization is ensured in this case by creating reports only when more than 15 people within a company or department use our app. The anonymity is ensured by the fact that we only generate reports if more than 15 people within a company or department use our app. It is not possible to draw conclusions about your personal health status based on the use of our app and our services.
   
   
9. Users of our services from Switzerland
   
   If you are a person within the scope of the Swiss Federal Data Protection Act, the provisions of the Federal Data Protection Act apply. This concerns in particular the applicable rights of data subjects under Art. 25-29, 32 DSG. In addition, the provisions of the GDPR and the BDSG are declared applicable and the applicable data protection laws apply.
   
   Data processing also takes place in the following countries outside Switzerland:
   
   Federal Republic of Germany
   
   United States of America (USA)
   
   We guarantee an appropriate level of data protection. This is ensured by:
   
   
   • an established adequate level of data protection in accordance with Art. 16 para. 1 FADP for the recipient country
   • standard data protection clauses that the FDPIC has approved, issued or recognized as a matter of priority, in particular, the standard contractual clauses of the European Commission;
   • an international agreement providing for an adequate level of data protection.
   
   
   Publishing Date: April 2025