Privacy Policy of the myHeartHealth® App


  1. Subject of the privacy policy
  2. Responsible body
  3. Your rights
    1. Right to information
    2. Right to rectification or erasure
    3. Right to restriction of processing
    4. Right to data portability
    5. Right to object to processing
  4. Installing the app
  5. Required and processed authorizations & data
    1. Permissions
    2. Data for registration /activation
    3. Health data & fitness activities
    4. Permission for Location Data (Geo-Data) when using the myHeartHealth® App
    5. Data about app usage
    6. Payment
    7. Service Usage
    8. Device and location information
  6. App analytics
  7. Purpose of processing and legal basis
  8. Recipients of the data
  9. Backup
  10. Storage periods and deletion of the data used
  11. General questions and contact


Privacy policy


Last updated on 04-03-2024


  1. Subject of the privacy policy

This privacy policy provides you with information about how your personal data is collected and used.  Personal data is any information provided by you or by other persons we may associate with you that is personally related to you, e. g. name, address, mail address or user behavior.  Due to the further development of our app or the implementation of new technologies, it may be necessary to update this privacy policy. There will be no prior notification. The current data protection declaration can be viewed online or in the myHeartHealth app.


  1. Responsible body

Responsible for the purposes described in this declaration and compliance with the locally applicable data protection laws and the GDPR is CAREtower Management GmbH („we“, „us“) with registered office „Auf der Ell 9“ in 52078 Aachen, unless this privacy policy contains other information. The privacy policy remains unaffected until the update date on April 3, 2024


  1. Your rights

You have all the rights described below to all your personal data that you provide to us. Please read the explanations below carefully in order to exercise your rights in a timely manner.  Your request cannot be processed unless your identity can be verified. We may ask additional verification questions if we have reasonable doubts about your identity in order to protect all personal data and rights of our users.  In addition, you have the right to complain about the processing of your personal data by us to a supervisory authority.


3.1 Right to information

You have the right to information about the processed personal data and their processing purposes, categories and recipients as well as the planned storage period and all available information about the origin of the data, unless they were collected from you. When providing information, it must be ensured that your identity is verified.  You will be provided with a copy of the personal data that is the subject of the processing.  The right to obtain a copy must not affect the rights and freedoms of others.


3.2 Right to rectification or erasure

You have the right to request the immediate correction or completion of your personal data from the controller. In addition, you can request the deletion of your personal data if they are no longer necessary for the purposes for which they were collected or processed, if you revoke your consent or object to the processing or if the data has been unlawfully processed.  Where the controller has made the personal data public and is obliged to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that a data subject has requested the erasure by such controllers of any links to, or copy, those personal data, or has requested replication of this personal data.


3.3 Right to restriction of processing

You have the right to request a restriction of processing if you contest the accuracy of the personal data, the processing is unlawful, the data is no longer needed or you have objected to the processing. In doing so, you must allow the controller a reasonable period to verify the data.


3.4 Right to data portability

You have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format. In addition, you can arrange for this data to be transmitted to another controller, provided that the processing is based on consent or a contract or if the processing is carried out by automated means.  The right must not affect the rights and freedoms of others.


3.5 Right to object to processing

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, unless there are compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or that the processing serves to assert, exercise or defend legal claims. The revocation is valid with effect for the future. If personal data is used for direct marketing purposes or for scientific research purposes, you can object to the processing of your data at any time, unless the processing is necessary for the performance of a task in the public interest.


  1. Installing the app


The app can be downloaded from the Google Play Store and the Apple App Store, either directly or via a store link on the myHeartHealth® website. Upon launching the app, an email address must be provided, along with an optional name. An activation email with either an activation number or activation link will be sent to this email address. If the user chooses the supervised exercise option, participants will receive an email containing an activation number and download link. The app is initiated by entering this number or by opening the activation link. After activation, the app can be used on the device without the need for reauthentication. Additionally, by activating the app, you agree to our privacy policy. While using the app, you may optionally consent to the sharing of Bluetooth and geo-location data, which are necessary for utilizing the app within a supervised training program.


  1. Required and processed authorizations & data


5.1 Permissions

The app obtains the following permissions:

  • Identity: Find accounts on the device
  • Contacts: Find accounts on the device
  • Location: Access the approximate location (network-based), access the exact location (GPS and network-based), access additional service provider commands for location
  • Photos/ media/ files: read USB memory contents, change or delete USB storage contents
  • Other: Access all networks, disable hibernation, pair with Bluetooth devices, access Bluetooth settings, get network connections, read sync settings, enable or disable synchronization, run at startup, activity detection, receive push notifications


5.2 Data for registration and activation

To register, it is mandatory to provide your mail address. Optional information that can be collected during registration and later changed in the profile is the personal information name, gender, age/date of birth, height, weight, resting heart rate, maximum heart rate and language, as well as information on reason and motivation, such as the main goal, training goals and the level of athletic performance.  Through a health check, health information on heart problems, pain, dizziness, bone or joint problems or medication is given with yes/no questions.

For activation, the following data is sent to the backend of the myHeartHealth app: activation key, installation ID, device ID, model and serial number, operating system with version, device manufacturer, localization, screen height and width as well as the version of the app used and its contents.


5.3 Health Data & Fitness Activities

  • Fitness activities: duration and time, distance and altitude profile, calories, heart rate
  • Routes: training route, distance, altitude profile, speed (if the authorization to determine the location has been granted)
  • Pulse curve: Heart rate (if a heart rate sensor has been paired)
  • Vital data: peripheral & central blood pressure, heart rate (if an appropriate measuring device has been linked)
  • Heart health: personal log-in code, appointments for analysis and determined heart age


5.4 Permission for Location Data (Geo-Data) When Using the myHeartHealth® App

The myHeartHealth app enables supervised exercise by utilizing the user’s location data. This means that for this application, a coarse location determination (COARSE_LOCATION), typically done through mobile network towers or Wi-Fi networks, is required. Additionally, the user agrees that a more precise location determination (FINE_LOCATION), usually through GPS or other satellite technologies, is possible. This permission allows the app to determine the exact location of the device.

By using the app, you expressly consent to the app accessing the current location whenever it is in use. This access is necessary to ensure the intensity of supervised exercise based on your heart rate and the distance to supervised exercise facilities. Without access to your location data, it is not possible for us to offer an effective supervised exercise program.

We would like to emphasize that we may utilize your personal data, including your location data, to provide you with a high-quality supervised exercise experience.

By using our app, you agree that we may use your geodata in accordance with the provisions of this privacy policy.


5.5 Data about app usage

If you have activated error logging (opt-in), data on usage and errors in the app will be collected. We use this data to analyze problems and constantly improve the app.


5.6 Payment

Payments are processed via the payment providers Google and Apple. Although we do not store any financial data ourselves, we receive a transaction ID, duration, price, currency and VAT for the purchased product from the provider with each payment. The payment provider can assign the purchase to a person via the transaction ID.


5.7 Service Usage – Amazon Web Services

We use Amazon Web Services (AWS) to provide the videos and media files. The app downloads this content directly from AWS. This gives Amazon personal data such as IP address and information about the device, the operating system and the installed web browser.

For details on Amazon AWS‘ use of data, please refer to their Privacy Policy (


5.8 Device and location information

When using the app, we receive the following data: IP address, request of the app, time of the request, access status and amount of data transferred, product and version information about the app and installed web browser, operating system of the device, device identifier and features, information about the ISP or mobile operator


  1. App Analytics

The app installations, devices used and information on in-app purchases can be evaluated for statistical purposes. Crash reports can be submitted voluntarily via the corresponding functionality in the operating system.


  1. Purpose of processing and legal basis

We process the personal data to be able to provide you with our services and to be able to contact you. Unless you provide this information, we will not be able to provide you with the services. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit.b GDPR. Under certain circumstances, health data within the meaning of Art. 9 para. 1, Art. 4 No. 15 GDPR will be processed within the scope of the services offered. These are stored in an electronic patient record. The legal basis for the processing of this data is your express, voluntary and revocable consent in accordance with Art. 9 para. 2 lit. a GDPR.


  1. Recipients of the data

The above personal data will be used exclusively for the provision of our services and only the responsible persons will be granted access to the data. A transmission or disclosure of the data to other third parties does not take place.


  1. Backup

We take appropriate technical and organisational measures to address the risks arising from the use of your personal data, including loss or alteration or unauthorised access to your personal data, and to enable you to exercise your rights.


  1. Storage periods and deletion of the data used

The data will be stored as long as the user account exists. In addition, data will only be stored if this is required by law (due to warranty, statute of limitations or retention periods) or otherwise. If your user account is deleted, all data will also be deleted, with the exception of the data necessary to fulfil contractual obligations or to fulfil legal retention obligations. This data is not deleted, but minimized to the required extent.


  1. General questions and contact

For general questions or if you need immediate help and assistance regarding your rights or the way we use your personal data, please contact our team at

The contact details of the data protection officer can be found below: Ltd.

Pappelallee 78/79

10437 Berlin, Germany


Phone: +49 30 12053129