Thryve API terms of use
Data protection information of the use of the services of mHealth Pioneers GmbH („Thryve“)
Your app service (subsequently “App”) has contracted mHealth Pioneers GmbH (subsequently “Thryve”), a limited company under German law, to provide access to end users’ data from a wide range of health and fitness trackers. To enable this transfer of data to your app service, you have to consent to the processing of health data by Thryve as outlined subsequently.
1. Responsibility for data processing
The App is the controller of your data. It has contracted Thryve (mHealth Pioneers GmbH, Körtestr. 10, 10967 Berlin) to process your data. A data processing agreement is in place. The data protection officer of Thryve is Hannes Schenk, privacy@thryve.de
2. Purpose of data processing
The App provides services using health and wellness related data. Thryve supports this service by accessing, harmonizing and providing your data upon authorization on behalf of the App.
3. Nature of data processed for the purpose
Data processed may fall into the following categories:
➡️ daily activities (such as running, walking, activity etc.)
➡️ sports (such as football, workouts, aerobics etc.)
➡️ sleep (such as deep sleep, light sleep, etc.)
➡️ vital data (such as weight, heart rate, blood pressure, blood sugar level, respiration etc.)
➡️ behavioral information (such as nutrition information, mood information, etc.)
➡️ Meta information (such as stress, range of motion)
The future incremental expansion of integrated sources may expand the number of data and data categories. You can inquire with App about the current extent of processed data at any time. The calculation of further values based on this data as the case may be, represents neither medical advice nor an individual diagnosis, but a mathematical result from the transmitted and measured values. The latter are subject to the inaccuracies of the devices used (for details see point 3.3.).
3.1. Health data and other special categories of data
Thryve may process health data within the meaning of Art. 9 para. 1 GDPR. Health data are all data that contain information about a person’s state of health or can be derived from this.
In addition, other special categories of personal data, such as biometric data, which may be contained in the data sets of connected data sources, may be processed. As any processed fitness tracker data may potentially constitute health data, Thryve generally treats it as such as a precautionary measure.
3.2. Pseudonym
You are identified by the App within the Thryve service by a de-identified token (“Pseudonym”), that is randomly generated. The Pseudonym is the basis for further data processing and is linked to your data.
3.3. Data from connected sources
If you connect a data source and authorize it to share data with Thryve, your data from this source will be transmitted to our server and stored under your Pseudonym. The authorization procedure is determined by the respective providers of the data sources (as a rule, you typically have to log in to the respective data source via a website of the provider and grant approval for the App there. The data from the data source is forwarded to Thryve, from where the App retrieves the corresponding data for further processing.
If you connect the app to a data source other than Apple Health or Samsung Health, the server of the respective data source issues a token for our server, which is stored under your Pseudonym. The server uses this token to retrieve the data you have released from the server of the data source. This works without the app being involved, i.e. even if your smartphone is not connected to the internet or you delete the app. Access to and processing of data that Thryve has received via the Google Fit API follows the requirements for restricted use in accordance with the Google API Services User Data Policy. For the Apple Health and Samsung Health data sources, the data is transferred locally, i.e. the Apple or Samsung Health apps pass on the shared data on your device to the app via a special interface .
3.4. Access logs
Every time the app accesses the server, data about this process must be temporarily processed in a log file. In detail, the following data is processed for each access: IP address, date and time of access (timestamp), request details and destination address (protocol version, HTTP method, referrer, user agent string), name of the retrieved file and amount of data transferred, notification of whether the retrieval was successful (HTTP status code). This serves to ensure operation and to protect against and investigate attacks. This data is stored for seven days in the form of log files and then deleted.
4. Disconnecting connected data sources
To disconnect Apple Health and Samsung Health data sources, simply delete the App. You can also revoke the release of your data for the App in the respective Health app (e.g. Apple Health). To disconnect from other data sources, simply deleting the app is not sufficient, as this does not disconnect the server-to-server connection. The connection to the data source is only disconnected when the token stored for your pseudonym on the server expires or is deleted. You can disconnect your data sources within the App at any time. If the connection to the data source has been disconnected, the corresponding token on the server will be deleted.
5. Legal basis of data processing
The legal basis for the processing of your personal data described above is your express consent (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR), which you have given to the app.
6. Revoking consent
You can withdraw your consent to data processing from the app at any time with effect for the future. The app will then instruct Thryve to delete your data in this case.
7. Deletion of data
Your personal access data (see 3.4) in the log files is always anonymized after seven days. If you withdraw your consent, Thryve will stop processing your data and delete your data completely. This can take up to 30 days.
8. Transfer of data
Your data is processed by Thryve on behalf of the App and transferred solely to the App. No further transfer of data occurs beyond this.
9. Data protection rights
You have the following data protection rights in accordance with Art. 15-20 and 77 para. 1 GDPR:
➡️ The right to request information about what data has been stored about you and to have it corrected or completed if it is incorrect.
➡️ The right to have the personal data concerning you erased or restricted for processing.
➡️ The right to receive the data you have provided to us in a structured, commonly used and machine-readable format.
➡️ The right to withdraw your consent at any time without giving reasons with effect for the future and to stop using the app without any adverse consequences for you.
➡️ The right to lodge a complaint with the data protection officer of the controller (see section 1) or with a data protection authority.
Please note, that the App may require a verification of your identity to allow for exercising your data protection rights.