Privacy Policy for the Elara Health App

Controller Responsible for Data Processing

MS Nucleus GmbH
Gundelfinger Straße 5
10318 Berlin
Germany
Commercial Register: Berlin (Charlottenburg)
Registration number: HRB 243388
Authorized Managing Director, Data Protection Officer: Frederik Marquart
Email address: frederik@elara-health.de

Categories of Processed Data

In the course of using the Elara Health App, we process in particular the following categories of personal data:

• Contact information: e.g. email address
• User account and profile data: e.g. user ID, profile details, settings
• Health and symptom data (special categories of data pursuant to Art. 9 GDPR):
  e.g. information on energy levels, sleep, symptoms, medication intake, menstrual cycle, laboratory values, notes
• Measurement data from connected devices and services (optional):
  e.g. heart rate, steps, sleep data, weight, blood pressure (e.g. via Apple Health, Google Fit, Garmin)
• Location data (optional): e.g. weather services
• Technical and device data: e.g. IP address, device type, operating system version, app version
• Content from uploaded files: e.g. PDF or image files containing laboratory reports

This data is collected either directly through your input, via synchronization with third-party services, or automatically when accessing the app.

Legal Basis for Processing

The processing of your personal data is carried out in compliance with the GDPR on the following legal bases:

• Art. 6(1)(a) GDPR (Consent)
  For voluntary information (e.g. health data, use of wearables, location data), as well as for direct marketing, app integrations (e.g. Apple Health, Garmin), and analytics functions.
• Art. 6(1)(b) GDPR (Performance of a Contract)
  For providing and using the Elara Health App, including user account management, symptom documentation, and the display of analyses.
• Art. 6(1)(c) GDPR (Legal Obligation)
  Where statutory retention or disclosure obligations apply.
• Art. 6(1)(f) GDPR (Legitimate Interests)
  To ensure app operation, error analysis, IT security, and improvement of app functionality. Our legitimate interest lies in providing a secure and user-friendly service. Your interests, fundamental rights, and freedoms have been duly considered.
• Art. 9(2)(a) GDPR (Explicit Consent)
  For the processing of special categories of personal data, in particular health data (e.g. symptoms, laboratory values, medication data, cycle information).

Purposes of Processing

Your personal data is processed for the following purposes:

Provision and Operation of the App

• Registration and management of your user account
• Use of core functions (e.g. diary, evaluations, symptom tracking)
• Creation of trend and correlation visualizations (e.g. energy trends, crash score)

Analysis and Further Development

• Personalized presentation and analysis of your data
• Detection of individual patterns and trends
• Technical error diagnostics and performance improvement

App Integrations and Data Import

• Synchronization with services such as Apple HealthKit, Google Health Connect, or Garmin
• Processing of transmitted data for display and analysis within the app

Customer Support and Communication

• Responding to inquiries
• Sending technical information and updates
• In-app notifications and reminders

Marketing and Information (Consent-based Only)

• Sending newsletters or product information
• User surveys and feedback forms

Fulfillment of Legal Obligations

e.g. statutory retention obligations, tax or health-related requirements

Automated Evaluations

The Elara Health App uses automated procedures to evaluate your data, for example to display potential relationships between symptoms, energy, sleep, activity, mood, or laboratory values. These evaluations are solely intended for individual information and self-reflection.

Algorithmic assessments (e.g. a “Crash Score”) may be used based on predefined rules or models. However, no automated decision-making with legal effect or similarly significant impact within the meaning of Art. 22 GDPR takes place.

Users can review, export, or delete their data at any time.

Protection of Minors

The Elara Health App is intended exclusively for persons aged 16 and over. Use by minors under 16 is only permitted with the explicit consent of a legal guardian (Art. 8 GDPR).

Recipients of Data

Within our organization, only those departments that require access to your data to fulfill their tasks (e.g. customer support, IT, product development) receive such access.

In addition, we engage carefully selected service providers as processors pursuant to Art. 28 GDPR. These providers process your data exclusively on our behalf and in accordance with our instructions:

• Mistral OCR – AI-based processing of uploaded documents
• Google Fonts – Visual presentation
• Sentry – Collection and analysis of error messages and technical issues

All processors have been reviewed for data protection compliance and are bound by data processing agreements and appropriate safeguards (e.g. Standard Contractual Clauses for third-country processing).

Disclosure to third parties that are not processors only takes place if:

• you have explicitly consented (Art. 6(1)(a) GDPR), or
• a legal obligation exists (Art. 6(1)(c) GDPR).

App Stores (Apple / Google)

The Elara Health App is distributed via external platforms such as the Apple App Store and Google Play Store. In this context, personal data (e.g. device identifiers, payment information, download timestamps) is processed by the respective platform operators under their own responsibility.

We have no influence over the data processing carried out by these platforms. Please refer to their respective privacy policies:

• Apple Privacy Policy
• Google Privacy Policy

Third-Party Keyboards

When using third-party keyboards (e.g. alternative keyboard apps on iOS or Android), there is generally a risk that input — including sensitive data — may be read or stored by the respective keyboard application.

The Elara Health App has no influence over the data processing of such keyboards, as they operate outside our app environment. Please carefully review which keyboard providers you grant access to your input.

We recommend using the standard system keyboard provided by your device to minimize the risk of unintended data processing.

Data Storage Location and Transfers to Third Countries

Some data processing is carried out by our service providers in countries outside the European Union (EU) or the European Economic Area (EEA), in particular the United States and Singapore. This includes, for example, hosting services (Supabase), authentication services, and OCR analyses.

When transferring data to third countries, we ensure an adequate level of data protection in accordance with Art. 44 et seq. GDPR by means of:

• Standard Contractual Clauses of the European Commission,
• appropriate technical and organizational safeguards, and
• where available, certification under the EU-U.S. Data Privacy Framework (for U.S. providers).

You may request a copy of the applicable safeguards at any time by contacting frederik@elara-health.de.

Data Retention Periods

We store personal data only for as long as necessary to fulfill the purposes for which it was collected.

Specifically:

• Diary data: stored as long as your user account is active. Upon deletion of your account, such data is permanently deleted unless statutory retention obligations apply.
• Technical data (e.g. log files): generally deleted or anonymized after a maximum of 90 days.
• Contractual and communication data (e.g. support inquiries): may be stored for up to 10 years in accordance with statutory retention obligations (e.g. commercial or tax law).

You may request early deletion or restriction of processing at any time, provided no legal obligation requires further retention.

Your Rights

Pursuant to Art. 15–21 GDPR, you have the following rights with regard to the processing of your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (“right to be forgotten”) under certain conditions (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object, in particular to direct marketing or processing based on legitimate interests (Art. 21 GDPR)
• Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)

You may exercise these rights at any time without disadvantage by contacting us at frederik@elara-health.de. We will respond within one month.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

Data Protection for Users in Switzerland

For individuals residing in Switzerland, personal data is processed in accordance with the revised Swiss Federal Act on Data Protection (revFADP).

Data subjects have in particular the right to access, rectification, deletion, and to object to the processing of their personal data under applicable Swiss data protection law.

Complaints may be submitted to the Federal Data Protection and Information Commissioner (FDPIC).

Data Protection for Users in the United Kingdom

For individuals residing in the United Kingdom, personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Users have the same rights of access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent.

Complaints may be submitted to the competent supervisory authority, the Information Commissioner’s Office (ICO).

Information for Users in the United States of America (USA)

Elara Health is not a “Covered Entity” or “Business Associate” under the U.S. Health Insurance Portability and Accountability Act (HIPAA). The Elara Health App is a wellness and self-management application and does not provide medical advice, diagnosis, or treatment.

For users residing in the State of California, additional rights apply under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to access, correct, delete personal data, and to object to the sharing of personal data.

Elara Health does not sell, rent, or share personal data for commercial purposes within the meaning of the CCPA/CPRA.

Requests to exercise these rights may be submitted at any time via email to frederik@elara-health.de.

Information for Users in Canada

The processing of personal data of users residing in Canada is carried out in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Personal data is processed solely for the purposes described in this Privacy Policy and generally on the basis of your consent or another lawful basis.

Users have the right to access their personal data and to request correction or deletion of inaccurate information. Complaints may be submitted to the competent supervisory authority or to us as the responsible entity.

Information for Users in Australia

The processing of personal data of users residing in Australia is carried out in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Users have the right to access personal data stored about them and to request correction of inaccurate information. Complaints may be submitted to us as the responsible entity or to the competent Australian data protection authority.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example when introducing new features. Where required, we will obtain renewed consent for material changes.