Balm takes your privacy seriously. We use industry-leading security to protect your personal information and follow all health data privacy regulations. Balm is not a substitute for medical care.
In the following, we provide information about the processing of personal data when using our web app (hereinafter referred to as the “Balm” app). Personal data are all data that can be related to a specific natural person, e.g., their name or IP address.
The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is Significo GmbH, Cuvrystraße 1, 10997 Berlin, Germany, email: contact@significo.com. We are legally represented by Richard McCartney.
Our data protection officer can be contacted via heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany, www.heydata.eu, email: datenschutz@heydata.eu.
The scope of data processing, processing purposes and legal bases are explained in detail below. The following legal bases for data processing can generally be considered:
Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. Specifically, we store the data generated when using the Balm app for as long as the corresponding user contract with the users exists. After that, the data are deleted or anonymized.
If the data are not deleted because they are required for other legally permissible purposes, their processing is restricted, i.e., the data are blocked and not processed for other purposes. This applies, for example, to data that we must retain for commercial or tax law reasons. Anonymised, aggregated data processed in the context of the analytics functions described in Section 2.7 are stored for the duration of the contractual relationship with the respective licensing organisation. Upon termination of that contractual relationship, the aggregated data will be deleted or further processed in a way that no longer permits any reference to the respective user group.
Data subjects have the following rights vis-à-vis us with regard to their personal data:
Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data. Contact details of the data protection supervisory authorities can be found at bfdi.bund.de.
In the context of a business relationship or other relationship, customers, interested parties or third parties must only provide us with the personal data that is necessary for the establishment, execution and termination of the business relationship or other relationship or that we are legally obliged to collect. Without these data, we will generally have to refuse to conclude a contract or provide a service or will no longer be able to perform an existing contract or other relationship.
Mandatory information is marked as such.
We generally do not use fully automated decision-making pursuant to Article 22 GDPR to establish and implement a business relationship or other relationship. If we use such procedures in individual cases, we will provide separate information about this if this is required by law.
When you contact us, e.g. by email or telephone, the data you provide us with (e.g. names and email addresses) will be stored by us in order to answer your questions. The legal basis for the processing is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in answering inquiries addressed to us. We delete the data collected in this context after storage is no longer necessary, or we restrict processing if there are statutory retention obligations.
When users use our Balm app, we collect the data that are technically necessary for us to offer users the functions of our Balm app and to ensure stability and security. This is our legitimate interest, so the legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR.
The data processed in this respect are:
We process data in the Balm app in order to provide the user with the app functionalities. The legal basis for this processing is the Balm app use agreement concluded with the user.
The provision of the data marked as mandatory during registration is required for the conclusion of the contract. Users are not obliged to provide these data; however, it is not possible to use the Balm app without providing these data.
The data processed in this respect are:
Users can open a user account in the Balm app. We process the data requested in this context to fulfill the respective user contract concluded via the account, so that the legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
We delete the data when users delete their user account. In this context, the contact details provided during registration (name, email address and password) are deleted.
We use the email address in particular to correspond with you about Balm and the content offered there, to invite you to suitable studies and to obtain feedback.
We process the data provided when registering for the Balm app and the answers to questionnaires given when using Balm for the following additional purposes:
| Type of data | Purpose of data processing | Legal basis |
|---|---|---|
| Pseudonymous user ID, demographic data, data from your responses to questionnaires, your logs and elements of Balm used, your feedback. | All these data are used to fulfill the user contract with you and to provide you with the app.* | Art. 6 para. 1 lit. a GDPR; Art. 9 para. 2 lit. a GDPR (consent)* |
| Pseudonymous user ID, data from your responses to questionnaires, demographic information, your logs and elements of Balm used, your feedback, technical usage and history data. | Statistical (pseudonymous) evaluation for research purposes. | Art. 6 para. 1 lit. a GDPR; Art. 9 para. 2 lit. a GDPR (consent) |
| Your pseudonymous user ID, data from your responses to questionnaires, demographic information, your logs and elements of Balm used, your feedback, technical usage and history data. | All data are aggregated for research into the effectiveness of Balm; ongoing development of the product; to gauge user interest in potential future content for Balm and to gather users’ views on Balm and its content; to select and invite users for studies in Balm that may be appropriate for them. | Art. 6 para. 1 lit. a GDPR; Art. 9 para. 2 lit. a GDPR (consent) |
| Pseudonymous user ID; questionnaire response data; demographic information; usage logs and elements of Balm used; technical usage and history data — processed in aggregated and anonymised form. | Provision of anonymised usage statistics to the organisation that has licensed Balm for your user group (e.g. your employer or health insurance provider), for the purpose of programme evaluation and management. | Art. 6(1)(a) GDPR; Art. 9(2)(a) GDPR (consent) |
| Technical data such as login data (user ID, date/time) in the form of technical log files. | This data are processed in order to be able to investigate and rectify any errors or faults. | Art. 6 para. 1 lit. f GDPR (balancing of interests, based on our legitimate interest in being able to investigate and eliminate any errors or malfunctions) |
* The consents given to us can be revoked at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. After withdrawing the consent marked with “*”, you will no longer be able to use Balm.
As a rule, we do not transfer your personal data to third parties. The only exceptions to this are:
With your consent we use Posthog for analysis. The provider is Posthog Inc, 2261 Market Street #4008, San Francisco, CA 94114. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.
The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of your consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.
The data will be deleted if the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider’s privacy policy at https://posthog.com/privacy.
Note: This consent is required in order to use the Balm app. Withdrawing this consent will result in the termination of your ability to use the app.
We use Zitadel to manage authentication. The provider is ZITADEL (CAOS Ltd.), Lerchenfeldstrasse 3, 9014 St.Gallen, Switzerland. The provider processes contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) within the EU.
The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in sufficiently authenticating users of our applications.
We delete the data when the purpose for which they were collected no longer applies. Further information can be found in the provider’s privacy policy at https://zitadel.com/docs/legal/policies/privacy-policy.
With your consent we use Customer.io for analysis. The provider is Peaberry Software, Inc, 9450 SW Gemini Dr Suite 43920 Beaverton, Oregon 97008-7105, United States. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.
The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of your consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.
The data will be deleted if the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider’s privacy policy at https://customer.io/legal/privacy-policy.
We use “Private Captcha” on our website. The provider of this service is Intmaker OÜ, Pärnu mnt 139b, Tallinn, Harjumaa, Estonia (“Intmaker”). Private Captcha is used to check whether data entered on the website (e.g., in the registration form) is entered by a human or by an automated program.
To do this, Private Captcha analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the user accesses the web page. For this analysis, Private Captcha evaluates various information (e.g., IP address, length of time spent on the website, or mouse movements made by the user). The data collected during the analysis are transmitted to Intmaker.
Further information about Private Captcha, the associated data processing by Intmaker, and the storage period of the data by Intmaker can be found in Intmaker’s privacy policy at https://privatecaptcha.com/legal/privacy-end-user/.
The legal basis for the processing is Art. 6 (1) (f) GDPR. We have a legitimate interest in protecting our app from abusive automated use by other computers.
We use Stripe for payment processing. The provider is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. The provider processes payment data (e.g., bank details, invoices, payment history) and contact data (e.g., email addresses, phone numbers) in the USA.
The legal basis for this processing is Art. 6 (1) sentence 1 (b) GDPR. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
The legal basis for the transfer to a country outside the EEA is an adequacy decision. The security of the data transferred to the third country (i.e., a country outside the EEA) is guaranteed because the EU Commission has decided, by means of an adequacy decision pursuant to Art. 45 (3) GDPR, that the third country ensures an adequate level of protection.
We delete the data once the purpose for its collection has ceased to apply. Further information is available in the provider’s privacy policy at https://stripe.com/privacy.
We use Sentry for error tracking in applications or on websites, and for application monitoring. The provider is Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA. However, processing takes place only on our servers.
We process meta/communication data (e.g., device information, IP addresses), usage data (e.g., websites visited, interest in content, access times), and content data (e.g., entries in online forms) within the EU.
The legal basis for processing is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in appropriately monitoring the functionality of our applications.
The data will be deleted once the purpose of its collection has ceased to exist and no statutory retention obligations prevent its deletion. Further information can be found in the provider’s privacy policy at https://sentry.io/privacy/.
The Balm app is in some cases made available by organisations (e.g. employers or health insurance providers) to their employees or members. These organisations are given access, via a secured analytics dashboard, to aggregated, anonymised statistics about the use of the Balm app within their user group. The purpose of this data use is to enable the licensing organisation to gain an overview of programme uptake and to evaluate the effectiveness of the offering.
Nature of data provided: The information made available to the licensing organisation consists exclusively of aggregated metrics, such as the total number of active users, questionnaire completion rates, and content usage statistics. No data is output that would allow the identification of individual persons. In particular, data points where the number of underlying users falls below a defined minimum threshold are automatically suppressed or rendered unidentifiable.
Legal basis: The processing of the underlying data prior to anonymisation is carried out on the basis of your consent pursuant to Art. 6(1)(a) GDPR. Where health data within the meaning of Art. 9(1) GDPR is processed (e.g. data relating to the use of psychological questionnaires or interventions), we rely on your explicit consent pursuant to Art. 9(2)(a) GDPR. You may withdraw your consent at any time with effect for the future. Withdrawal can be communicated to us using the contact details provided in this privacy policy. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Technical and organisational safeguards: We have implemented technical measures to ensure that data output to licensing organisations does not permit conclusions to be drawn about individual persons. These include minimum group-size thresholds, the aggregation of all metrics, and ongoing review of anonymisation measures. Access to the analytics dashboard is restricted to authorised individuals and secured by appropriate technical access controls.
Data processing agreement: Where the licensing organisation acts as a data processor or joint controller in connection with this data use, we have concluded a corresponding agreement with it pursuant to Art. 28 or Art. 26 GDPR respectively.
Data Protection Impact Assessment: As the Balm app processes special categories of personal data within the meaning of Art. 9 GDPR in the course of the underlying processing activities, we have carried out a Data Protection Impact Assessment pursuant to Art. 35 GDPR. The results are available from our Data Protection Officer.
Where authorised users of the analytics dashboard are based or ordinarily resident outside the European Economic Area (EEA), access to the dashboard and the export of reports may constitute a transfer of data to a third country. In such cases, we ensure that appropriate safeguards are in place pursuant to Art. 46 GDPR, in particular through the conclusion of Standard Contractual Clauses issued by the European Commission. Information about the safeguards applicable in individual cases may be requested from our Data Protection Officer.
We reserve the right to amend this privacy policy with effect for the future. A current version is always available here.
If you have any questions or comments regarding this privacy policy, please do not hesitate to contact us using the contact details above. Back to top
If you or someone else is in crisis or at risk, please do not use this site. Instead, reach out to these resources for immediate assistance.
