Privacy Policy for StayWell
Zuletzt aktualisiert: 24. Mai 2024
1. Responsible Entity
StayWell is a platform of:
StayWell GesbR
Kauergasse 8
1150 Vienna, Austria
Email:
3. Datensicherheit
The collection and processing of personal data at StayWell is always purpose-bound - depending on how you use our platform. Below we explain to you the types of data that arise in which usage situations, for what purpose they are processed, and on what legal basis this occurs.
2.1 Visit the StayWell website without logging in:
When you visit our website without logging in or registering, certain technical data is automatically collected. This data helps us ensure the security and stability of the site and continuously improve it.
Data Category:
- Browser Type/Version
- Device Type
- Operating System
- Referrer URL
- Access Time
- Internet Service Provider
- IP Address
- Location Data
- User Behavior and Viewed Content
- Cookies / Pixels / Tracking IDs
Purpose:
Technical operation, functionality, security, and optimization of the website as well as analysis of user behavior.
Legal basis:
Art. 6 para. 1 lit. f GDPR (legitimate interest) or Art. 6 para. 1 lit. a GDPR (consent).
Storage period:
Maximum of 90 days, then anonymization or deletion.
2.3 Contact Form, Chat, or Email
Data Categories:
- First Name
- Last Name
- Company Name
- Email Address
- Technical Access Data (see 2.1)
Purpose:
Management of registration and notification about StayWell's availability.
Legal Basis:
Art. 6(1)(a) GDPR (Consent).
Storage Period:
Until registration invitation or max. 12 months.
2.4 Use of the platform as a registered person
Data categories:
- Master data: Name, Email, Phone number, Gender
- Usage data: Challenges, Logs, Routines
- Health data: Vital signs, Wearables, HRV, etc.
Purpose:
Personalized content, Program participation, Progress tracking.
Legal basis:
Art. 6 para. 1 lit. b GDPR (Contract), Art. 9 para. 2 lit. a GDPR (Consent for health data)
Storage period:
Until the account is deleted. Test results remain stored until users manually remove them.
2.5 Newsletter & Marketing:
Data category:
- Name
- Email
- Phone number
- Marketing preferences
Purpose:
Sending personalized content and information
Legal basis:
Art. 6 para. 1 lit. a GDPR
Storage period:
Until revocation or account deletion
3. Cookies & Tracking
Welche Cookies konkret verwendet werden, richtet sich nach den eingesetzten Diensten und Anwendungen. Eine detaillierte Übersicht dazu findest du in den folgenden Abschnitten. Nachfolgend geben wir einen allgemeinen Überblick über die verschiedenen Arten von Cookies und ihre Funktionen.
Arten von Cookies:
- Essenziell (funktional zwingend erforderlich)
- Funktional (Komfortfunktionen)
- Marketing (personalisierte Werbung)
Verwendete Tools:
- Google Analytics 4
- YouTube
- Google Tag Manager
- Google Ads
- Meta Pixel
- Hotjar
3.1 Cookie-Consent-Management with Cookiebot
To manage consents and the legal integration of cookies and tracking technologies, we use the Cookiebot service from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark.
Upon the first visit to our website, a cookie banner will appear, through which you can give or decline your consent to the use of specific cookies.
Cookiebot stores your selection so that it is taken into account during future visits. The storage is done locally in the browser (via cookie) and on Cookiebot servers (EU location).
Processed data:
IP address (in anonymized form), browser information, date and time of visit, consent status.
Purpose:
Compliance with legal requirements for obtaining and documenting consents according to Art. 6 para. 1 lit. c GDPR.
Legal basis:
Art. 6 para. 1 lit. c GDPR (legal obligation).
Further information:
https://www.cookiebot.com/en/privacy-policy/
Legal basis:
Consent according to § 96 para. 3 Austrian Telecommunications Act (TKG) in conjunction with Art. 6 para. 1 lit. a GDPR
Deactivation:
In the browser or via the cookie banner
4. Disclosure to Third Parties
Data is only shared when necessary, e.g.:
- Wearables (only with consent)
- Hosting: AWS Frankfurt
- Tracking/Analysis: Google
Transfer to third countries:
- EU-US Data Privacy Framework (DPF)
- Standard Contractual Clauses (SCCs)
- No sharing for commercial purposes
4. Disclosure to Third Parties
Personal data will generally only be stored for as long as necessary to fulfill the respective purpose. Once the purpose of processing is no longer applicable, the data will be deleted or anonymized, unless there is a legal obligation to retain it (e.g. tax retention periods).
In case of revocation of consent or a request for deletion, data deletion will be carried out as soon as possible, unless there are other legal obligations to store the data.
- Health data: max. 30 days after revocation
- Backups: max. 90 days
Deletion requests:
6. Users' Rights
Users have the right to request information at any time about the personal data processed by StayWell in the context of the General Data Protection Regulation (GDPR).
Furthermore, there are rights to rectification, erasure, restriction of processing, as well as data portability. There is also a right to object to certain processing activities and the possibility to revoke consent given for the future.
Below, these rights are listed individually:
- Right to information (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
Contact:
Complaint:
Data Protection Authority Austria (
7. Data Security
To secure all personal data processed through the StayWell platform, we implement extensive technical and organizational measures. These measures aim to protect against unauthorized access, loss, misuse, or unlawful alteration. The security mechanisms used are regularly reviewed and updated to reflect the latest technology.
SSL/TLS, Access Control, Encryption, Audits
As of April 2025
StayWell GmbH
Datenschutzabteilung
privacy@staywell-app.com