Privacy Policy

Of the digital health application somnio

Last updated on 2025-08-01

1 Purpose, scope and general information

The privacy notice applies to the somnio application or app.

Internet access must be available to use the app. The use of internet-based services generally involves a certain security risk, which we minimize on our part. However, we cannot completely address all risks.

We use third-party libraries and software. These are used as sparingly as possible and are monitored regularly by us.

2 Tips on how to maximize the protection of your data

use an email address that does not reveal any personal details (e.g. pm1234@test.com instead of peter.milller@test.com)

the same applies for your self-chosen username (e.g. Superstar instead of Petra)

To be safe that no data are left in the RAM after closing the application, please restart or shut down your device. Data left in the RAM cannot be protected anymore and may be read by third parties with access to your device

Tips from the German Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/cyber-sicherheitsempfehlungen_node.html

3 Collection of general Information

What? To display the application correctly, to connect to the application and to detect and defend against attacks

What information? IP address, Information about the device used

Legal basis Art. 6(1)(f) GDPR, the legitimate interest lies in the protection of our application, as well as in the correct presentation of the app

You can object to this processing. To do so, please write to dataprivacy@mementor.de.

Deletion period IP addresses are stored for 10 days, Data of the devices used immediately after fulfilling the purpose

Service provider no

4 Prescription transfer service (optional for German customers)

What? We take care of submitting the prescription to your health insurance company. You upload your prescription, we send it electronically (if possible) or by post to your health insurance company, you will receive the activation code.

At the same time, an account will be created (see next point) so that you retain full control over your data.

What information? address details, email address, telephone number (optional), health insurance company, picture of the prescription with insurance number and name

Legal basis Art. 9(2), first sentence (a) GDPR (consent can be revoked at any time)

Deletion period immediately after redeeming the license code through the account or after a maximum of 90 days

Service provider Letter delivery: LetterXpress, provided by A&O Fischer GmbH & Co. KG, Maybachstraße 9, 21423 Winsen (Luhe), Germany

5 Sleep training

a) Account creation

What? Create an account for the application

What information? email address, passkey (How do Passkeys work? ; German) or email address, password

Legal basis Art. 6(1)(a) GDPR (consent can be revoked at any time)

Deletion period 30 days after creation (if no license code is used)

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

The consequence of the transfer is the storage of the email address on RDS (service of Amazon Web Services) in Frankfurt (Main), Germany

The consequence of the transfer is that the email address is stored on RDS (service from Amazon Web Services, Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109. United States) in Frankfurt (Main), Germany - despite a contractual assurance from Amazon Web Services that all data remains in Germany, a transfer of the email address and passkey to a third country cannot be completely ruled out. However, logging into our application is only possible with the additional key on your device. The passkey alone is useless, so only your email address would be affected in the event of a data leak.

b) Code redemption

What?

For German customers: To start sleep training and to bill the service to your health insurance company or private health insurance: We send the entered code to an interface of the health insurance company, or verify it with your private health insurance company to check that the code is genuine and up to date. If you have purchased somnio yourself, we check whether the code was issued by us.

For US customers: We use the code to verify that you are eligible to use the program

What information? activation code, email address, passkey (How do Passkeys work? ; German) or only activation code and registration date if an account has already been created

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 9(2), first sentence (a) GDPR (consent can be revoked at any time)

Deletion period 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

c) Log in

What? You must log in before every time before using the application.

What information? email address, passkey (How do Passkeys work? ; German) or health ID or email address, password

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Deletion period no storage

Service provider provision of the passkey functionality: Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany

provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transmitted for processing and will then be deleted immediately.

d) Sleep training with somnio

What? Independent progress monitoring, personalization of training

What information? self-chosen username, gender, age, health data on sleep times, sleep behavior, information on personal medical conditions, consumption of relevant substances such as alcohol and caffeine, subjective perception of performance and mood, prior knowledge, progress in the application

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Service provider no

e) Activity trackers (optional)

What? Transfer of fitness tracker measurements to the application

What information? health data on sleep times and sleep behavior

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Service provider fitness tracker connection: Thryve by mHealth Pioneers GmbH, Körtestraße 10, 10967 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

f) E-mails

What? Sending reminder emails, registration emails, system emails, communication in special cases (security corrective measures)

What information? email address, self-chosen username

Legal basis Art. 6(1), first sentence (a) GDPR and Section 4(2), first sentence DiGaV (consent can be revoked at any time)

Deletion period data will only be stored for as long as it is necessary for processing

Service provider provider for sending emails: Sendinblue of the company Newsletter2Go GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Data will only be transferred for processing and then deleted immediately.

g) Medical report (optional)

What? Create, export and send the medical report so that the healthcare professional can check your current status

What information? Aggregated therapy data: module progress, course of clinically relevant parameters, self-selected user name

In case of transmission of the access code by email: your email address, the email address of your practice - we always create a secure link that you can remove at any time, the email is pre-formulated and must be sent by you

If you export the medical report, you are responsible for the security of this report, so please share it only with authorized people and delete it if it is no longer needed.

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (implied consent, revocable at any time)

Deletion period At the latest with the deletion of your account, 30 days after license expiration

Service provider no

h) Writing in the Electronic patient record (optional for German customers)

What? Export of usage data to the electronic patient record, either manually or regularly automated - where available

What information? Usage data: sleep behavior, clinically relevant parameters

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 9(2), first sentence (a) GDPR and Section 4(2), first sentence DiGaV (consent can be revoked at any time) - You must actively confirm the export

Deletion period no storage of data by mementor

Service provider Access to the ePA service: MEDKONNEKT GmbH, Schleißheimer Straße 91A, 85748 Garching b. München, Germany. Data will only be transferred for processing and then deleted immediately.
provision of the health ID functionality: azuma healthtech GmbH, Lindenstr. 4g, 81545 München, Germany. Data will only be transferred for processing and then deleted immediately.

i) Contacting support (optional)

What? If you would like to contact us directly and need human support for technical problems or have questions about program content

What information? email address

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 6(1), first sentence (c) GDPR and Section 4(2), first sentence DiGaV (implied consent, can be revoked at any time) - You write to us

Deletion period Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Service provider no

j) Make an appointment for a support call (optional for German customers)

What? If you would like to contact us directly and need human support for technical problems or have questions about program content and if you want to do this by phone, you can book a support call

What information? name, email address, telephone number

Legal basis Art. 6(1), first sentence (a) GDPR and Section 4(2), first sentence DiGaV ((implied consent, can be revoked at any time) - You book an appointment with us

Deletion period Immediately, as soon as we no longer have to comply with our legal obligations to provide evidence - this varies depending on the type of request

Service provider appointment booking tool: Calenso. provider is Braincept AG, Neuenkirchstrasse 19, 6203 Sempach-Station, Switzerland, Europe (website: https://calenso.com/en/ )
The data is transmitted to Calenso and stored there until the support call.

k) Anonymization of data to improve the service and to demonstrate the ongoing suitability of the application

What? We anonymize or de-identify information according to applicable privacy legislation for fulfillment of regulatory requirements in post market surveillance, analytics, statistical purposes and product improvement

Legal basis Art. 6(1), first sentence (a) GDPR, Art. 6(1), first sentence (c) GDPR and Section 4(2), first sentence DiGAV (consent can be revoked at any time)

Deletion period no storage of personal data, Data for the evaluation of modules in general are only stored anonymously, unless you explicitly want to be contacted afterwards, in which case the information will be used for a support request (see point i).

Service provider no

l) Collection of data for continuous improvement

What? As we are constantly striving to improve our applications, we ask for feedback on modules or other content within the application.

What information? Free text entries, ratings

Legal basis Article 6(1)(a) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applications Ordinance) (consent, revocable at any time) – consent is usually obtained in the module flow

Deletion periods Only data that has a further influence on the therapy is stored in a personalised form; this data is anonymised or deleted at the latest when your account is deleted, i.e. 30 days after the licence expires. All other data is recorded without personal reference.

Service providers None

m) Transfer of data for the purpose of conducting studies

What? Studies are not usually conducted by us, so it is necessary to transfer data to the study partner in order to conduct studies.

What information? All information specified in the relevant study protocol.

Legal basis Article 6(1)(a), Article 6(1)(c) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applications Ordinance) (consent, revocable at any time) – consent is not obtained within the application, but as part of the consent to participate in the study.

Deletion periods This is only a transfer, therefore no storage takes place within the scope of this processing

Service providers None

6 Other data processors

a) Hosting provider

What? In order for our application to work, it must be hosted. This includes the storage and processing of all data that is not processed directly on the end device

What information? All server-side processing of data, as well as the storage of data, including health data

Legal basis Article 6(1), first sentence (a) GDPR and Section 4(2), first sentence DiGAV (Digital Health Applications Ordinance)

Deletion periods 30 days after expiration of the license period, notification about the upcoming deletion: 14 days and 7 days before the expiration date, deletion can be postponed upon explicit request

Service provider IONOS Cloud, provided by IONOS SE, Elgendorfer Str. 57. 56410 Montabaur (Server location Germany)

By using IONOS, all processed and stored data is transferred to the IONOS data center. IONOS has a variety of security measures in place to guarantee that your data is safe there. You can find more information at https://cloud.ionos.co.uk/protection.

7 Cookies

somnio uses so-called cookies. These are text files that are stored on your device from the server. Cookies are used in somnio to store session data after logging into the program. We would like to point out that this may involve certain risks. To ensure that your session cannot be hijacked by third parties, we recommend that you log out after each use of somnio.

After crashes of the session or unintended closing cookies can remain on your device. A manual deletion of cookies can improve your security.

8 Your rights

You can exercise the following rights by sending an email to support@somn.io

You have the right to:

Information about your personal data processed by us in accordance with Article 15 GDPR,

demand the immediate correction of incorrect or completion of your personal data stored by us in accordance with Article 16 GDPR,

Deletion of your personal data stored by us in accordance with Article 17 GDPR,

the restriction of the processing of your personal data in accordance with Article 18 GDPR,

receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller in accordance with Article 20 GDPR,

Complaint to a supervisory authority pursuant to Article 77 GDPR,

Revocation of consent granted in accordance with Article 7(3) GDPR.

United States: Depending on your state of residence, you may have the right to file a complaint with your state attorney general's office if you believe we are in violation of applicable U.S. privacy laws.

9 Additional Information for Residents of Certain U.S. Jurisdictions

In this section, we provide additional information for residents of California and certain US states as required by privacy laws of applicable U.S. jurisdictions ("U.S. Privacy Laws").

Retention of personal information

We retain personal information for as long as reasonably necessary for the purposes described in this Notice, such as to comply with our tax, accounting and recordkeeping obligations, to provide you services, for our own business purposes and for research, development and safety purposes. We also retain personal information for an additional time as needed to protect, defend or establish our rights, defend against potential claims and to comply with our legal obligations. From time to time, we may also identify or aggregate your personal information, retain and use it for a business purpose in compliance with CCPA and applicable U.S. Privacy Laws.

Rights regarding your personal information

Certain U.S. Privacy Laws provide rights regarding personal information. This section describes those rights and how to exercise them, if applicable.

Right to know/request access. Regarding the personal information we have collected about you in the prior twelve (12) months, and subject to certain conditions and exceptions, you may request:

the categories of personal information we collected about you

the categories of sources from which we collected your personal information

the business or commercial purposes for collecting, selling or sharing your personal information

the categories of third parties to whom we have disclosed your personal information

the specific pieces of your personal information collected.

Right to delete. Subject to certain conditions and exceptions, you may request that we delete your personal information.

Right to correct. Subject to certain conditions and exceptions, you may request that we correct inaccuracies in your personal information.

Right to opt-out of sales and sharing. You have the right to opt-out of the "sale" and "sharing" of your personal information, as those terms are defined under applicable U.S. Privacy Laws. While we do not disclose personal information to third parties in exchange for monetary compensation, our use of third-party analytics and advertising cookies may be considered "selling" and "sharing." To exercise your right to opt-out of the "sale" or "sharing" of your personal information, click the "Do Not Sell or Share My Personal Information" link at the bottom of our website. Please note that submitting an opt-out request will only opt you out of disclosures that are considered "sales" or "sharing, "but it will not opt you out of other disclosures, such as to our service providers.

You may also have the right to opt-out of "sales" and "sharing" of your personal information by using an opt-out preference signal. If we detect that your browser or device is transmitting an opt-out preference signal, such as the "global privacy control" or "GPC" signal, we will opt that browser or device out of cookies that result in a "sale" or "sharing" of your personal information. If you come to our website or use our Services from a different device or from a different browser on the same device, you will need to opt-out, or use an opt-out preference signal, for that browser and/or device as well.

Right to non-discrimination. We will not discriminate against you for exercising any of the rights described in this section.

Authorized agents. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents must provide proof of their authorization in their first communication with us. We may also require the relevant consumer to directly verify their identity and the authority of the authorized agent.

We reserve the right to reject (1) authorized agents who have not fulfilled the above requirements or (2) automated requests where we have reason to believe the security of the requestor’s personal information may be at risk.

Exercising your rights

If you are resident of an applicable jurisdiction and want to exercise your rights, you may do so by:

calling us at +1 (800) 424-0737

completing this online request form.

Verification. Before responding to your request, we must first verify your identity using the personal information you recently provided to us. You must provide us with your email address and/or serial and device number. We will verify your request by matching the information you provided us with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary, to process your request. If we cannot verify your identity, we may deny the request and will explain the basis for the denial.

Response timing and format. We will respond to your request as required under the applicable U.S. Privacy Law. If we deny the request, residents of certain jurisdictions may appeal our decision by sending an email to privacy@resmed.com.

California "Shine the Light" disclosure

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. However, we do not disclose personal information to third parties for their direct marketing purposes.

Consumer health privacy information

Some jurisdictions, including Washington and Nevada, have enacted privacy laws specific to certain types of consumer health data. For additional information on how ResMed handles consumer health data and your potential rights under these laws, review our Consumer Health Data Privacy Notice at https://myair.resmed.com/policies/consumer-health-data.

10 Privacy policy changes

We reserve the right to amend the privacy policy in the event of changes in legal requirements or updates on our part. If you are already registered at that time, you will be informed.

11 Contact information

Responsible body in the sense of data privacy law

mementor DE GmbH

Karl-Heine-Strasse 15

04229 Leipzig

Germany

info@mementor.de

Contact details of the data privacy officer

mementor DE GmbH

Datenschutz

Karl-Heine-Strasse 15

04229 Leipzig

Germany

dataprivacy@mementor.de