Privacy Policy (for using the app)
Last updated: 15 June 2026
The German-language version is legally authoritative; translations into other languages are non-binding convenience translations.
With this Privacy Notice, we would like to inform you about the basis on which and the purposes for which we process personal data that we collect from you or that you provide to us when you use the Preventicus Heartbeats app. If you also wish to use our additional package Preventicus Coach through the app, please note Section V.
We would also like to inform you about the data protection rights available to you.
For certain categories of data processing, supplementary data protection provisions may apply, for example if you use the Preventicus Heartbeats app to participate in a study or in a telemedical care program offered by your health insurer.
The Preventicus Heartbeats app is a medical device classified for the European Economic Area and fulfils the essential requirements of Regulation (EU) 2017/745 on medical devices (MDR) and its national implementation.
Further information can be found in the Terms of Use.
PREVENTICUS will process your personal data confidentially and strictly for the defined purposes. Your health data is processed exclusively on servers in Germany.
I. Who is responsible for data processing and whom can I contact?
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Preventicus GmbH
Ernst-Abbe-Straße 15
07743 Jena
Germany
You can reach our company Data Protection Officer at the contact details above and by email at: datenschutz@preventicus.com
II. What is personal data?
Personal data is information that can be used to identify or contact a person, for example via an email address.
To use the Preventicus Heartbeats app, we do not require your name or any other contact details from you. Instead, we initially store your data in our systems without a name reference (pseudonymously).
In this sense, the Preventicus Heartbeats app does not process data that directly identifies you. Based on the data typically stored in Preventicus Heartbeats, Preventicus cannot identify or individually contact unregistered users.
III. What data do we collect?
III.a Health data
With the Preventicus Heartbeats app, you can independently create and document series of pulse measurements using your smartphone or a wearable. Using the information provided in this way, the Preventicus Heartbeats app can help automatically detect and classify cardiac arrhythmias (extra beats, atrial fibrillation), provided sufficiently accurate and valid measurement series are available (“health data”). We store your heart rhythm and pulse waves on our servers.
III.b Health profile data in the additional package Preventicus 360°
The health profile in the additional package Preventicus 360° is formed on the basis of basic data and heart-rate and heart-rhythm data determined by the Preventicus Heartbeats app. In addition, information from medically validated questionnaires and self-administered tests is included, including entries of blood pressure values, height, weight, waist circumference, and results from performing, for example, movement tests.
III.c Sensor data
In addition to classifying the measurement results, other sensor data from your smartphone is also accessed when measuring with the camera and stored with the measurement, for example to take into account vibrations that may impair the measurement result.
III.d Other data that you provide to us
As a general rule, we do not require your name or any other contact details from you. Instead, we initially store your data in our systems without a name reference. Processing takes place exclusively on servers in Germany. However, you have the option to store your name in saved PDF reports and, in a free-text field, to store the circumstances of the measurement or symptoms (palpitations, dizziness, skipped beats, chest pain, etc.) for your own purposes, for example as an aid when passing the report on to your physician.
You may also enter your gender and year of birth (basic data) in your user profile, which enables us to classify your measurement results more effectively.
III.e User data
If you wish to register with us, you provide us with your email address and a password chosen by you. Optionally, you may choose a username, provide your name, and enter a voucher code in the “access code” field.
Your data will then be stored pseudonymously. This means that your personal data is stored in hashed form in a separate database, separate from your health data, and can be assigned to it if necessary.
Registration allows you to transfer your licence independently of the operating system and to restore your measurement data if you change or lose your smartphone. It also enables participation in a care program or a study.
III.f Interoperability option with third-party app
Preventicus Heartbeats can be launched and used for heart rhythm measurements from interoperable medical applications offered by third-party providers.
In this case, Preventicus Heartbeats carries out its measurements with subsequent pseudonymised data analysis on servers in Germany. The pseudonymised results are transmitted back to the medical third-party app in encrypted form. In this process, Preventicus Heartbeats does not collect any data from the medical third-party app that can be related to a person, with the exception of the information required for data analysis (age and gender).
Preventicus Heartbeats is an independent medical application. When using the interoperability option, please note the privacy notices of the compatible medical third-party app that you also use.
Preventicus has no influence over any further processing of your measurement results in medical applications offered by third parties.
List of compatible medical applications that are currently interoperable with Preventicus Heartbeats:
- Corsano-AF App: app for conducting various studies
III.g Contract data
To fulfil our contractual obligations, we process the contract date, subscription type, term and renewal information, price and payment data (e.g. selected tariff, currency, amount), transaction ID, order number, subscription status (active, cancelled, expired), invoice or booking information, the pseudonymous user identifier transmitted by the app store (e.g. Apple ID hash, Google account ID), date of the last payment, and expiry date of the subscription.
III.h Usage and device data that we collect during and through use of our app
Standard logging
When our app is used, the following device data is collected on the server side: device type, device model, operating system and version, language and region settings, app version, installation source, IP address, timestamps of connections, device ID, session token, access token, push token, date and time, and the name of the server-side resource accessed or the data records transmitted.
Google Firebase Analytics and crash reports
In Heartbeats, the services Google Analytics for Firebase and Firebase Crashlytics are used on the basis of your consent. We use them to collect statistically aggregated data about app usage, specifically relating to system crashes and errors (Firebase Crashlytics) for error detection and correction, as well as certain user-triggered events (Google Analytics for Firebase) to optimise our app.
Please note that this may also involve processing personal data in the so-called third country USA, i.e. outside the EEA. In its decision of 10 July 2023 pursuant to Article 45 GDPR, the European Commission recognised the level of data protection for certain companies in the USA as adequate under the EU-U.S. Trans-Atlantic Data Privacy Framework, including Google LLC.
In addition, we have provided appropriate safeguards with Google LLC by means of standard contractual clauses adopted by the European Commission, which provide you with enforceable rights and effective legal remedies. We use the standard contractual clauses with Module Two, which you can find here.
For Crashlytics, information about the device is collected, including the UUID and anonymised IP address, the installed app version, and other information, particularly relating to the user’s software and hardware. For Analytics, when the user performs a specific action, an identifier corresponding to the event and the Instance ID of your device are sent to Google. The usage and device data are aggregated and analysed exclusively in pseudonymised form by Google Ireland Ltd. as our processor. Your data is not disclosed to third parties in this context.
You can deactivate the analytics service Firebase Crashlytics and Firebase Analytics of Google LLC at any time and thereby withdraw your consent to the collection of this data with effect for the future. To do so, open the settings (gear icon at the top right) and click “Deactivate”.
If you participate in a care program via Heartbeats that your statutory or private health insurer organises jointly with us, among others, the collection of data by Firebase Crashlytics and Google Analytics for Firebase will be deactivated by us when the contract for the respective care program begins and reactivated after it ends, provided that you had given your consent.
Push notifications
We also use the Firebase Cloud Messaging service of Google Inc. for Android and Apple Push Notifications for iOS to send push notifications or so-called in-app messages (messages that are displayed only within the respective app) to your device. In doing so, Firebase and Apple generate a calculated key consisting of the app identifier and your device identifier.
This key is stored on our push platform together with the settings you have chosen in order to provide you with content according to your preferences. Firebase and Apple servers cannot draw any conclusions about user requests or otherwise determine data connected to a person. Firebase and Apple act solely as transmitters.
Push notifications can be deactivated and reactivated at any time in the device settings. We do not process any data that can be related to a person in this context.
Advertising performance measurement with Adjust and Microsoft Ads
If you have consented to tracking, we use functions of Adjust in the “Heartbeats” app. Adjust is a service of Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany. We use it to measure and optimise the effectiveness of our advertising measures via the Microsoft/Bing advertising network (Microsoft Advertising). In this context, Adjust, as a processor engaged by us, may process measurement, attribution, and conversion data and — where activated by us — pass this data on to Microsoft Advertising.
The contracting partner for Microsoft Advertising in the EEA is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
The processing serves to measure the success of our advertising campaigns, in particular to determine whether an app download, first opening of the app, in-app event, or in-app purchase can be attributed to an advertisement in the Microsoft/Bing advertising network. Depending on the platform and configuration, advertising and device identifiers, IP address, app and device data, session data, event and conversion data, campaign and attribution data, and, if applicable, revenue data may be processed for this purpose.
For campaigns via Microsoft/Bing, a Microsoft Click ID (msclkid) or comparable campaign identifier may also be processed in particular in order to assign advertising clicks to subsequent conversions.
The legal basis is Article 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent). In addition, the use or installation of the Heartbeats health app may create a connection to health data or at least to health-related interests. The processing therefore takes place exclusively on the basis of your prior consent.
Please note that, in connection with Adjust and Microsoft Advertising, processing of personal data in the USA cannot be ruled out. Adjust provides contractual safeguards for third-country transfers in accordance with Chapter V GDPR; at the same time, Adjust also names service providers in the USA in its current data processing agreement. Microsoft likewise refers to international data processing in its current privacy statement; Microsoft is also certified under the EU-U.S. Data Privacy Framework.
You may withdraw your consent at any time with effect for the future. To do so, open the settings in the app (gear icon at the top right) and deactivate tracking there. After withdrawal, no further data collection will take place for this advertising and conversion measurement. If you participate in a care program via Heartbeats that your statutory or private health insurer organises jointly with us, the collection of data for Adjust / Microsoft Advertising will be deactivated by us when the respective care program begins and reactivated after it ends, provided that you had previously given your consent.
IV. For what purposes do we process the above data?
IV.a Data processing to fulfil contractual obligations, including payment processing when using the full version and paid additional packages
If you purchase the full version, your contract data is processed exclusively by the app store operator to handle the purchase. The contact and payment data stored with the respective app store is not transmitted to us. Please note the privacy and terms of use of your respective app store operator, Apple App Store and Google Play Store.
IV.b Data processing when using the additional package Preventicus 360°
Basic data (age, gender) and the results of the most recent measurement (heart rhythm, heart rate, calculated relaxation index) are automatically transmitted from Preventicus Heartbeats to Preventicus 360°.
All other health data must be entered manually by you within Preventicus 360° and is incorporated into the health profile. Based on the health profile, automated server-side evaluations are created and displayed in Preventicus 360° for:
- heart health, taking into account measurements of heart rhythm and resting pulse (by means of pulse analysis) and heart attack risk;
- circulation, including stroke risk and high blood pressure, taking into account user information on blood pressure;
- metabolism and diabetes risk, taking into account user information on BMI, waist-to-height ratio, and alcohol consumption;
- well-being and depression risk, including display of the relaxation index (based on pulse analysis) and taking into account user information on psychological well-being;
- mobility and back health, assessing coordination, strength, flexibility, or muscular endurance while taking into account user information on functional and movement limitations.
Preventicus Heartbeats also displays information from the additional package Preventicus 360° in the app’s notification centre:
- whether there are new suggestions due to changed health data in Preventicus 360°;
- whether health data in Preventicus 360° is missing or outdated and needs to be completed again.
IV.c Data processing for support purposes
If you contact us for support purposes, user data and the corresponding communications are regularly provided to us and processed for internal administrative purposes and, if applicable, also further processed in anonymised form for quality assurance purposes.
IV.d Data processing for scientific research purposes
For scientific research purposes, we process anonymised measurement results. Separately from this, we process the IP address to classify your residential district as well as other statistical data, such as age and gender.
V. Where do we store your personal data?
If you have consented in the app to the use of Google Analytics for Firebase and Firebase Crashlytics, processing of personal data in the so-called third country USA, i.e. outside the EEA, cannot be ruled out. Within the framework of the EU-U.S. Trans-Atlantic Data Privacy Framework, the European Commission recognised the level of data protection for certified companies in the USA as adequate in its decision of 10 July 2023 pursuant to Article 45 GDPR, including Google LLC.
If you send us a support request, we process it in our ticket system provided by Freshworks GmbH. In this context, disclosure to other Freshworks companies, including Freshworks Inc., cannot be ruled out under certain circumstances. Freshworks Inc. has also certified itself under the EU-U.S. Trans-Atlantic Data Privacy Framework, so the European Commission’s adequacy decision also applies to the relevant processing.
All other data is processed exclusively in data centres in Germany.
VI. For what purpose do we process your data and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
VI.a To fulfil contractual obligations (Article 6(1)(b) GDPR)
Preventicus processes the contract-related data in relation to the account in order to provide and assign the contractually agreed services to you and other service providers and to make the data available to the correct recipients.
VI.b To process personal health data on the basis of your consent (Article 6(1)(a) GDPR, Article 9(2)(a) GDPR)
Based on your consent, we process your health data in order to detect cardiac arrhythmias (extra beats, atrial fibrillation) and to classify the results in analysis reports for your information.
VI.c To establish, exercise, or defend legal claims (Article 9(2)(f) GDPR)
Where necessary, we may process your data to establish, exercise, or defend legal claims.
VI.d In the context of a balancing of interests (Article 6(1)(f) GDPR in conjunction with Section 27 BDSG)
Within the scope of our legitimate interest, we store and anonymise your measurement series and the evaluations or health data created by us in this regard for scientific purposes. To this end, Preventicus will delete the assignment to the account. In addition, we process the IP address for anonymous classification of your residential district and other statistical data, such as age and gender, where available.
The data is thereby anonymised in such a way that data subjects cannot be identified or can no longer be identified.
VII. To whom is my personal or person-relatable data transmitted?
Within Preventicus, in principle only those persons receive access to data who need it to fulfil our contractual and, where applicable, legal obligations. Service providers and vicarious agents engaged by us may also receive data for these purposes. This applies in particular to our ISO 27001-certified hosting provider.
Accordingly, we do not transmit any personal data or data that can be related to you to third parties without your express prior consent.
You are free to transmit the evaluations generated via the app (Reports menu item) to third parties. For example, you may use a technical partner of Preventicus, such as a telecare centre. Please note Section 6 of the Terms of Use regarding the “Telecare Centre” usage package.
VIII. Is the provision of personal data required by law or contract?
You are not obliged to provide us with the personal data mentioned above.
IX. How long is my data stored?
As a general rule, we process and store your personal data for as long as this is necessary to fulfil the respective purpose or as required by law.
X. Your rights as a data subject
Every person affected by our processing of personal data has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right of access and the right to erasure.
In addition, there is a right to lodge a complaint with a data protection supervisory authority pursuant to Article 77 GDPR in conjunction with Section 19 BDSG.
Except in the case of registered users, Preventicus is unable to identify users. In the absence of sufficiently identifying characteristics, Preventicus cannot assign health data to an unregistered user. In these cases, Articles 15 to 20 GDPR do not apply.
XI. Information about your right to object under Article 21 GDPR
XI.I Case-specific right to object
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Article 6(1)(f) GDPR (data processing based on a balancing of interests); this also applies, where applicable, to profiling based on this provision within the meaning of Article 4(4) GDPR. Please see in particular Section 3.4.
If you object, we may no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
XI.II Withdrawal of consent granted
You may withdraw consent granted to us at any time with effect for the future.
XI.III Exercising an objection or withdrawing consent granted
The objection may be made without formal requirements and may be addressed to us, for example:
- by clicking unsubscribe at the bottom of an email message (newsletter);
- by using our contact form under Contact to object;
- by written notification to the address stated in Section 1;
- by telephone at +49 (0) 3641 / 55 98 45 – 0;
- or by email to info@preventicus.com;
- to unsubscribe from receiving emails or other advertising material, you may also follow the instructions in the respective message.
Please contact the Data Protection Officer directly regarding your data protection rights.
XII. Right to amend
Preventicus is entitled to amend the Privacy Notice at any time, in particular to adapt it to changes in the legal situation resulting from legislation or case law. The most current version is available and can be viewed at this location. Amendments to the Privacy Notice take effect on the day they are published at this location.
XIII. Appendix: Processing of personal data under the EU Data Act
This appendix describes how Preventicus processes product data and related service data generated through your use of the Preventicus Heartbeats Services. A detailed overview of the data that we currently identify as product data and related service data can be found in the information sheet on the EU Data Act for the Heartbeats app and the Preventicus Heartbeats Services, which is described and made available via www.preventicus.com.
Preventicus initially treats all product data and related service data as personal data because they are linked to your user account, even though Preventicus does not store usernames in plain text. Accordingly, their processing must generally comply with applicable data protection laws, including the GDPR.
1. Scope and definitions
1.1 This appendix governs the processing of personal data that also qualifies as product data and/or related service data and that may be lawfully requested pursuant to:
(a) Chapter II of the EU Data Act (either directly by you or through third parties); or
(b) Chapter V of the EU Data Act (by public sector bodies).
1.2 For the purposes of this appendix, the following definitions apply:
(a) User: a natural or legal person registered with Preventicus as a user.
(b) Product data: data generated by the use of the connected product and designed by the manufacturer to be retrievable via an electronic communications service, a physical connection, or on-device access.
(c) Related service data: data representing the digitisation of user actions or operations in connection with the Preventicus Heartbeats Services, recorded by you intentionally or generated as a by-product during the provision of a related service via the app.
2. Lawful processing
Preventicus generally processes product data and related service data in accordance with the legal bases for the processing of personal data set out in the Privacy Notice above. In cases where Preventicus is obliged to provide product data and related service data that also qualifies as personal data, three main scenarios must be distinguished:
2.1 The data subject is the requesting user: We may be required to provide product data and related service data that also qualifies as personal data to a user who is also the data subject (pursuant to Article 4(1), or to a third party pursuant to Article 5(1), of the EU Data Act). In such a case, the legal basis for processing the data is Article 6(1)(c) GDPR because this is necessary to fulfil a legal obligation to which we are subject (Article 4(1) and Article 5(1) of the EU Data Act). At the same time, we effectively comply with the instructions of the data subject when they exercise their right under Article 4(1) of the EU Data Act or have selected a third party as the recipient of the data pursuant to Article 5(1) of the EU Data Act.
2.2 The data subject is not the requesting user: If a user makes a request under Article 4(1) of the EU Data Act or Article 5(1) of the EU Data Act, or if a third party makes a request on behalf of the user pursuant to Article 5(1) of the EU Data Act, without the requesting user also being the data subject in relation to the data that is the subject of such a request, the following applies:
2.2.1 If we know that the requesting user is not the data subject, we require the requesting user or the requesting third party pursuant to Article 5(1) of the EU Data Act to provide proof that the data subject has given consent (Article 6(1)(a) GDPR). If the user cannot provide proof of the data subject’s consent, Preventicus may provide the data on the basis of a legitimate interest pursuant to Article 6(1)(f) GDPR, provided Article 9(1) GDPR does not preclude this. In this case, however, we must examine in each individual request whether providing the data is necessary to protect the legitimate interests of the requesting user, unless the interests or fundamental rights and freedoms of the data subject requiring protection of personal data override those interests.
2.2.2 If we have no indications or reasons to assume that the requesting user is not the data subject, we must rely on the requesting user or the requesting third party, in the scenarios of Article 5(1) of the EU Data Act, having verified that their access to the requested available data complies with the GDPR.
Before providing personal product data and related service data, we generally require requesters to confirm their obligation to comply with the GDPR by accepting the terms of use provided by Preventicus under the EU Data Act.
2.3 Requests from government institutions, bodies, and other entities: granting access to public sector bodies that demonstrate an exceptional need to use certain data as described in Article 15 of the Data Act — the scenario under Article 14(1) of the EU Data Act. In such cases, the legal basis for processing is Article 6(1)(e) GDPR because providing product data and related service data that also qualifies as personal data is necessary in order to respond to a public emergency, with the emergency response and resolution being in the public interest.
Clarifying note: The legal bases for processing personal data set out in the Preventicus Privacy Notice remain fully applicable. The same applies to provisions concerning the form of consent and the possibility of withdrawing it.
3. Procedure for requesting product data and/or related service data under the EU Data Act
3.1 Requests under the EU Data Act must clearly state the basis on which they are made:
(a) GDPR (e.g. access, rectification); or
(b) EU Data Act (e.g. access to product data and/or related service data).
Third Party Libraries Preventicus Heartbeats
https://www.preventicus.com/third-party-libraries-heartbeats-apps/
Jena, 15 June 2026