Privacy policy - App
(for patients)

1. introduction

Welcome to the "elona therapy" privacy policy.

Elona Health GmbH (hereinafter: "we", "our" and "Elona Health") respects your privacy and is committed to protecting your personal data. "Personal data" means any information relating to an identified or identifiable natural person.

This Privacy Policy is intended to inform you about how we collect and process your personal data when you use the services via the elona therapy App (hereinafter: "the App") (including any data you provide in any of the aforementioned ways) and to inform you about your data protection rights and the legal protection of your data.

You must be 18 years or older to use our services. It is expressly prohibited for minors under the age of 18 to create, register or use an elona therapy account.

The information provided does not refer to other online websites, pages or services that can be accessed via hyperlinks in the aforementioned app, but to resources outside the scope of the app. Clicking on these hyperlinks may allow third parties to collect or share information about you. We have no control over these third party websites and are not responsible for their privacy policies. When you leave our services, we recommend that you read the privacy policy of any website or mobile app you visit.


2. important information & about us

elona therapy is a digital health application that supports patients in outpatient psychotherapy in the treatment of mental illness (depression, anxiety/panic disorders, somatoform disorders) by intelligently delivering therapeutic content between regular therapy sessions. With elona therapy, psychotherapists can assign interventions, helpful activities, exercises, and psychoeducational resources that provide patients with information and treatment techniques related to their mental illness and are available beyond the regular therapy session via the elona therapy app. The content is based on current and evidence-based psychotherapeutic treatment methods. Through the use of psychometric questionnaires and exercises, elona therapy adapts the content individually to the needs of each patient. The application is designed to strengthen the patient's active cooperation and participation in outpatient psychotherapy and the integration of therapeutic content into the patient's daily life, thus increasing adherence to outpatient psychotherapy, reducing the patient's symptomatology and improving quality of life.

The data controller in the context of the provision of your healthcare service is your healthcare professional (e.g., your psychotherapist) who referred you to our app. In this respect, elona therapy is a tool relied upon by your healthcare professional.

Elona Health processes your data independently and acts as a data controller only for as long as necessary to provide you with access to our app and its basic features for the intended use of the elona therapy digital health application by you as a user (e.g., to register your own account and to keep track of the data you do not want to share with your healthcare professional).

For all other data processing, Elona Health acts as a data processor, providing you with the mobile application to help your healthcare professionals collect and manage your personal data.

If you have any questions about this Privacy Policy or wish to exercise your legal rights (as described below), please contact us using the contact details provided below.

We have appointed Laura Sophie Everding as our data protection officer. She can be reached at the following e-mail address:

3. scope of the processing of personal data

We process your personal data only to the extent necessary to provide you with a functional service. Personal data is regularly processed only with the consent of the data subject or on the basis of other legal provisions that permit data processing (for more information, see the section "Legal basis").

Your personal data can be integrated into the app either manually or automatically by healthcare professionals, or collected directly through the app.

Personal data also includes sensitive data of a special category (health data) pursuant to Art. 9 GDPR (hereinafter "sensitive data").

The data we process, personal data or personal information is any information about a person from which that person can be identified. This does not include data where the identity has been removed (anonymous data).

We may collect, process, store and transfer various types of personal data about you, which we have summarized as follows:

Type of data: Examples of data sets

Identification data: title; first name, last name, IP address; user ID; e-mail address; date of birth

Personal details: Gender

Health Data (Sensitive Health Data): Therapy session data; therapy reflections; diagnostic instrument results (check-ups); progress log (journal entries).

Usage data: App session data; settings data

Other data: Type of health insurance (private or statutory); self-payer

3.1 Special categories of data

We process special categories of personal data about you. This may include information about your health (i.e. sensitive health data). We do not process information about criminal convictions and offences. Sensitive health data is stored in Germany.

3.2 Aggregated and anonymous data

We also collect, process and share aggregated/anonymous data such as statistical evaluations if you consent to this. The process of anonymization constitutes data processing that requires a legal basis, so we only anonymize your personal data if you give your consent. We use the anonymized data for research purposes and for statistical evaluation.

The anonymized data, in turn, no longer falls within the scope of data protection laws, as it no longer has any personal reference. Anonymous data does not reveal your identity, either directly or indirectly. For example, we may combine your health data with the data of other users to calculate the percentage of users with a particular disease, to produce scientific work, or to improve the service (e.g., development of algorithms).

The resulting aggregated data should be considered anonymous, as it will not be possible to identify the individuals involved.

However, if we combine or link aggregated data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data processed in accordance with this Privacy Policy.

3.3 Cookies

We only process so-called "technical cookies" in our app, which enable us to recognise you as a user each time you access the app. This data is not passed on to third parties.

4) How is your personal data collected?

We use various methods to collect information from and about you, including through:

Direct Interactions. You may provide us with your personal information (including sensitive information) by filling out forms/questionnaires or by contacting us by mail, phone, email or other means. This includes personal information that you provide when you:

  • Using our products or services: When you use our services, we may receive or collect information or data about or relating to you, such as usage data or other data.
  • Create an account in our app: You must provide login information to use our Services and create an account to access the features of our Services, which may include your nickname and email address.
  • Giving us feedback or contacting us: any information you provide to our customer service team, from correspondence you send to us, from any communications you have with us and from any feedback you give us.

Automated Techniques or Interactions. When you interact with our App, we automatically collect technical data about your devices, browsing activities, and behavior patterns. We collect this technical data using cookies and other similar technologies. We may also obtain technical data about you when you visit other websites that use our cookies.

Third Parties. We may receive personal information about you from third parties, such as healthcare professionals associated with your account.

5. processing purposes and legal basis

In the table below you will find a description of all the ways in which we may process your personal data and the legal basis that allows us to do so. For these purposes, we may share your personal data with other parties (see the "Sharing" section for more information).

Purpose of processing

Providing access to our app and its basic functions for the intended use of the elona therapy digital health app by end users (e.g. creating an account; collecting data that the patient does not want to share with their healthcare professional).

Type of data

  • Identification data
  • Personal data
  • Usage data
  • Other data

Legal basis

The processing of personal data is based on your consent (Art. 6 (1) (a) DSGVO), on the necessity for the performance of the contract with you (Art. 6 (1) (b) DSGVO) and on the legitimate interest in the efficient performance of the service (Art. 6 (1) (f) DSGVO).

Type of data

  • Health data

Legal basis

Special types of personal data (sensitive personal data) about you are processed on the basis of your explicit consent (Art. 9 (2) (a) DSGVO).

5.1 Other processing purposes

Safety and security

If necessary, we may use your personal information to maintain the security of our services and our users. We may use your personal data to monitor operations, authenticate users, detect and protect against fraud and other criminal activity, and enforce our Terms of Use and other policies. We rely on our legitimate interests when we process personal data to detect and prevent fraud and illegal behavior, or when necessary to comply with a legal obligation to which we are subject.

Processing and defense of legal claims

If necessary, we may use your personal data to administer and defend legal claims, e.g. in connection with a dispute or legal proceedings. In such a case, we will process the personal data collected that is necessary for the processing and defense of the legal claim in question. The processing is based on our legitimate interest to process and defend legal claims. Your personal data will be stored for this purpose for as long as is necessary for the processing or defense of the legal claim.

For this purpose, we may also share certain information with other parties as described below.

Fulfillment of legal obligations

Finally, we use your personal data to fulfill legal obligations, e.g. accounting requirements or obligations under data protection laws. In such a case, we will process the collected personal data to the extent necessary to fulfill the respective legal obligation. Your personal data will be stored for as long as necessary to fulfill the respective legal obligations.

5.2 Change of the purpose of processing

We will only process your personal data for the purposes for which we collected it, unless we consider that we need to use it for another purpose and that this purpose is compatible with the original purpose. If you would like an explanation of how processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for another purpose, we will inform you and explain the legal basis that allows us to do so.

Please note that we may process your personal data without your knowledge or consent in compliance with the above rules if required or permitted by law.

6. login in the app with Touch ID/Face ID/Fingerprint

You have the option of activating the biometric identifier, depending on your end device, via your fingerprint ("Touch ID"/"Fingerprint ID") or facial recognition ("Face ID") for the login in the settings. The biometric identification is done via a technology in your mobile device and the data is only stored locally on your device. We are not responsible for the procedure and the data is not transmitted to us.

The processing of your personal biometric data within the scope of this function is based on your prior explicit consent pursuant to Art. 9 (2) lit. a DSGVO vis-à-vis the provider of your operating system. You can deactivate the login via biometric identifier in the app at any time.

7. disclosure of personal data

We will only share your personal data:

  • In our capacity as data controllers in connection with the original purposes.
  • As a processor, in accordance with the instructions of your healthcare professional.

In general, we do not share your personal information with third parties unless you have given your consent or unless otherwise stated in this policy.

In certain circumstances, we may disclose or share your personal information with third parties only in the ways described in this policy, including as follows:

  • You acknowledge and agree that we may collect and disclose your personal data to your healthcare professional (provided you have given us your consent).
  • In certain circumstances, we may need to disclose personal information in response to lawful requests from public authorities, including to meet national security or law enforcement requirements. We may disclose your personal information (i) to a government agency as part of an investigation to determine whether we are complying with applicable laws, rules or regulations (including data protection laws, rules and regulations), (ii) in response to a court order, subpoena, discovery request or other lawful judicial or administrative proceeding, (iii) if otherwise required or permitted by an applicable law, rule or regulation, (iv) in good faith, that we must disclose your personal information, (iv) in good faith to protect or defend the rights or property of Elona Health and other users, and (e) if Elona Health is involved in a merger, acquisition or sale of all or a portion of its assets, you will be notified by email and/or by a prominent notice on our website of any change in ownership or use of your personal information and of the choices you have regarding your personal information.
  • Third Party Service Providers: We may use third party service providers to provide certain data processing services to us (acting as our Authorised Data Processors), such as for the development, data storage, operational provision and administration of the elona therapy App. When acting as our authorised data processors, they are obliged to process data only in accordance with our instructions and in compliance with this Policy, and are subject to appropriate confidentiality and security obligations.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only allow them to process your personal data for specific purposes and in accordance with our instructions.

The personal data collected above will also be processed by our employees, who will act on specific instructions regarding the purposes and modalities of such processing.

We may share anonymous, aggregated or general data with third parties. In these cases, however, we do not share information that could be used to identify you personally.

8. international data transmission

We do not transfer your personal data outside the European Economic Area (EEA). Your personal data is stored in Germany.

9. data protection and security

We have implemented adequate security measures to prevent the accidental loss, unauthorized use or access, alteration or disclosure of your personal information. In addition, we restrict access to your personal data to those employees, agents, contractors and other third parties who need it for business reasons. They will process your personal data only on our instructions and are bound to confidentiality.

We have taken reasonable steps to deal with any suspected data breach and will notify you and any relevant supervisory authorities of a breach to the extent we are required to do so by law.

We keep your data safe by using best practices and the highest security standards.

We take various measures to protect your personal information from unauthorized access, use or alteration, and from unlawful destruction or disclosure, such as:

  • We use encryption technologies for the transmission and storage of your personal data;
  • We restrict access to your personal information on a strict need-to-know basis (e.g., Elona Health employees engaged in non-product related tasks do not have access to health-related information);
  • We have physical, electronic and procedural safeguards in place that meet industry standards.

Please note that despite our best efforts, we cannot guarantee that unauthorized access will be prevented, as no method of transmitting or storing information is completely secure.

All data processing is carried out in accordance with the DSGVO.

We endeavor to limit the collection of personal data to that which is directly relevant and necessary to achieve the purposes set out above (data minimization principle).

10. retention period

We delete your personal data as soon as the purpose or the legal basis for the storage ceases to apply. This is usually the case when the user account with us is deleted. In accordance with § 33a SGB V, the possibility to use the app ends with the expiry of the prescribed or approved period of use, without the need for termination. The data is then deleted unless we need it to fulfill legal obligations.

Your data will also be deleted if you explicitly request us to do so or if you revoke your consent. Uninstalling the app from the respective end device does not necessarily lead to a deletion of your data. You can access your user account again after reinstallation.

The data processed by us for the purpose of intended use or for the purpose of user-friendliness and further development of the digital health app may be stored for longer in order to ensure continuity of care. However, this requires your separate consent and allows us to store the data for an additional 30 days beyond the prescription period. 

Storage may also take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings or if storage is provided for by legal regulations to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

11. your rights

In certain circumstances, you may be entitled to exercise certain rights in relation to your personal data in accordance with data protection legislation. If you wish to exercise your rights, please contact us at:

We will endeavor to respond in a timely manner upon receipt of privacy-related communications.

You have the right:

  • To receive information: You have the right to receive clear, transparent and easy to understand information about how we use your personal data and what your rights are. We do this by providing you with the information in this privacy policy.
  • To obtain access to your personal data: You have the right to request access to your personal data and to request a copy of your personal data held by us. If you have created a user account, you can view certain information directly through our services on your user interface.
  • update your personal data: You have the right to request that inaccurate or incomplete personal data be corrected or completed. If you have created a user account, you can update certain information directly in your account.
  • delete your personal data (right to be forgotten): You can request that your user account be deleted at any time. You also have the right to request the deletion of your personal data in certain circumstances. However, we may need to retain your personal data if we are required to retain certain data to comply with legal obligations or to administer or defend legal claims.
  • Restrict the use of your personal data: You have the right to request the restriction of the use of your personal data under certain circumstances. If you have requested the restriction of the use of your personal data, please note that you will not be able to use the App during the period in which the use of your personal data is restricted.
  • To object to the use of your personal data: The processing of certain personal data is based on our legitimate interest or the legitimate interest of others. You have the right to object to the use of your personal data based on a legitimate interest on personal grounds. In such a case, we will stop using your personal data if the use is based on a legitimate interest, unless we can demonstrate that the interest in processing the data outweighs your personal data protection interest or that the use of your personal data is necessary to administer or defend legal claims.
  • The right not to be subject to a decision based solely on automated decision making: You have the right not to be subject to such automated decision making about you unless: (a) you have given us your explicit consent to use your personal data for our automated decision making; (b) we are legally authorised to carry out our automated decision making; or (c) our automated decision making was necessary for us to enter into a contract with you.
  • Transfer your personal data (data portability): You have the right to receive a copy of certain information you have provided to us in a structured, machine-readable format that allows you to transfer the data to another recipient.
  • Revoke your consent at any time: If the processing of your personal data is based on your consent, you have the right to revoke your express consent at any time. However, this does not affect the lawfulness of the processing that took place before you withdrew your consent. If you withdraw your consent, we may no longer be able to provide you with certain products or services. We will inform you when you revoke your consent.
  • File a complaint: As a data subject, you have the right to lodge a complaint with the competent supervisory authority or seek redress from a national court under the conditions set out in Article 77 GDPR if you consider that your rights in relation to your personal data have been infringed. We would be grateful if you would give us the opportunity and address your complaint first by using the contact details provided at the end of this Privacy Policy. If you ask us to stop processing your personal data or to delete your personal data, this will usually mean that you will no longer be able to use our Services, or at least those aspects of the Services that require the processing of the types of personal data that you have asked us to delete, which may result in you no longer being able to use the Services.

In order to ensure your right to access your personal data (or exercise your other rights), we may require certain information from you to confirm your identity. This is a security measure to prevent personal data from being disclosed to people who do not have the right to receive it. We may also contact you to ask for more information related to your request so that we can respond more quickly.

We make every effort to respond to all legitimate inquiries in a timely manner. If your request is particularly complex or you have made multiple requests, it may take longer to process. In this case, we will notify you and keep you informed.

12. responsible body and contact information

Full name of the company: Elona Health GmbH

E-mail address (data protection):

Data Protection Officer: Laura Sophie Everding,

E-mail address (general):

Postal address: Schirmerstraße 61, 40211 Düsseldorf, Germany (Registry Court: Düsseldorf HRB 94043)

13. changes to the privacy policy and our obligation to inform you about changes

We may change and revise this policy from time to time. All information we collect is subject to the Privacy Policy in effect at the time such information is collected.

Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email or via the App. We therefore recommend that you check this page from time to time to stay informed about how we process your data.

This version was last updated on 27 November 2022.