Zásady zpracování zdravotních dat

  1. INTRODUCTORY PROVISIONS
    1.1 This Policy has been issued by smpl_start s.r.o., ID No.: 05679087, with its registered office at Bubenská 1158/17, Holešovice, 170 00 Praha 7, registered in the Commercial Register maintained by Regional court in Prague under file No. C 387945 ("Provider"), for customers who are interested in using the services provided by the Provider ("Customer").

    1.2 The Provider's services are provided to the Customer on the basis of a separate contract ("Contract"), the subject of which is the provision of data analysis services and the provision of outputs from this data, using elements of artificial intelligence ("Services"). The Services may also be provided through a web interface and mobile applications in which the Customer has a user account. The creation of an account and the use of the Services is entirely voluntary.

    1.3 Its information obligation towards Customers within the meaning of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") relating to the processing of Customers' personal data for the purposes of performing the Contract, for the purposes of negotiating the Contract, and for the purposes of fulfilling the Provider's public law obligations, the Provider fulfills its
    obligations through the information provided below in this Policy.

    1.4 Unless expressly stated otherwise in this Policy, the Provider acts as the controller of personal data and the Customer acts as the data subject, as these roles are defined in the GDPR.
  2. SCOPE, PURPOSES, AND DURATION OF PROCESSING
    2.1 The Provider processes the Customer's personal data exclusively for the purposes of:
      a) performance of a contract within the meaning of Article 6(1)(b) of the GDPR,
      b) negotiating a contract within the meaning of Article 6(1)(b) of the GDPR,
      c) consent within the meaning of Article 9(2)(a) of the GDPR,
      d) fulfilling the Provider's legal obligations within the meaning of Article 6(1)(c) of the GDPR, and
      e) the legitimate interests of the Provider within the meaning of Article 6(1)(f) of the GDPR.

    2.2 The scope of personal data processed by the Provider is as follows:
      a) first and last name,
      b) residential address and delivery address, or other billing address,
      c) bank account number and, if applicable, other payment details necessary for processing,
      d) email address and telephone number,
      e) user ID,
      f) identifier and other information about connecting the account to an external device or service (device token, API token),
      g) Customer's IP addresses
      h) system and device data, protocols, session logs, and other metadata,
      i) optionally also other data (location data, lifestyle information such as weight or age), other manually entered information
    (collectively, "non-health data"), and also
      a) daily number of steps
      b) distance traveled
      c) heart rate (average, maximum, resting)
      d) heart rate variability (HRV)
      e) sleep cycles and sleep duration
      f) activity level (e.g., active minutes, heart rate zones)
      g) energy expenditure (calories)
      h) sports activity information (running, walking, cycling, workouts), and, where applicable
      i) health indicators provided by the API (e.g., blood oxygenation, stress index, if available)
    (collectively, "health data"; non-health data and health data together, "personal data").

    2.3 The Provider will process the personal data specified in Articles 2.1 and 2.2 to the extent necessary for: a) providing Services requiring access to personal data, including health data, b) synchronizing data from devices, c) technical operation of the account and application, d) individual analytics, and e) displaying user statistics and other related outputs. Processing shall continue for the duration of the user account and for the time necessary to fulfill all obligations arising from the Agreement. For the purposes of legal
    claims, personal data shall be retained for a maximum of the limitation period, but no longer than 15 years from the termination of the contractual relationship.

    2.4 Once the reason for processing the data has ceased to exist, the Provider will erase the personal data.
  3. SPECIFIC PROVISIONS ON HEALTH DATA
    3.1 The health data referred to in Article 2.2 (e.g., heart rate, HRV, sleep, activity, steps) will be processed by the Provider exclusively on the basis of the User's voluntary, active, and explicit consent within the meaning of Article 9(2)(a) of the GDPR. Consent is entirely voluntary and is not a condition for the provision of Services to the extent that they relate to general advice, but a large part of the Services cannot be provided without this consent, precisely because of the nature of the service consisting in the analysis of this input data. Consent may be revoked at any time by sending a request to Bubenská 1158/17, Holešovice, 170 00 Praha 7 or through a function in the user account. The withdrawal does not affect the processing carried out prior to its withdrawal. The Provider may process data on the basis of consent for a maximum period of 5 years. The processing period may be shorter if the Customer withdraws their consent. Withdrawal can be made at any time by sending a request to Bubenská 1158/17, Holešovice, 170 00 Praha 7 or by actively unsubscribing directly via email.

    3.2 In order to ensure compliance with individual obligations under the GDPR, the provision of services involving health data is subject to the granting of consent in accordance with Article 9(2)(a) of the GDPR (see above), and consent is granted by means of active confirmation ("opt-in"), which includes:
    a) clear identification of the categories of health data that will be synchronized from the device (e.g., heart rate, sleep, steps),
    b) a clear list of the purposes for which the health data will be processed (in particular, analysis and display of results),
    c) indication of the possibility to withdraw consent at any time, confirmation that consent is voluntary and not a condition for other services that do not require health data.
    At the same time, consent may be withdrawn in the same manner as it was given, or by sending a request to the email address specified in this Policy above. Withdrawal of consent does not affect the lawfulness of processing already carried out. The Customer is then informed that withdrawal of consent will result in the inability to use features that require access to health data.

    3.3 The Provider therefore accesses health and activity data only after the Customer has given their unambiguous and explicit consent via the device interface or a third-party environment (e.g., Apple Health, Google Fit, Fitbit, Garmin Connect, Xiaomi, Samsung Health). Only data that the User himself authorizes and that is necessary for the functioning of specific application features is synchronized. Neither the Provider nor any of its applications synchronizes any other data provided by the API that is not necessary for the purpose of use.

    3.4 In addition, health data is used exclusively for the following purposes:
      a) displaying user statistics in the application,
      b) individual analysis of activities and trends,
      c) creation of personalized recommendations,
      d) technical synchronization.
    The provider never uses health data for advertising, marketing, or behavioral targeting.

    3.5 Health and activity data is not:
      a) sold,
      b) provided to third parties,
      c) shared with advertising partners,
      d) used for analytics or other commercial purposes,
      e) used for purposes other than those specified in this Policy.
    Data may only be shared with services that the Customer actively connects and that are necessary for the provision of the main functionality of the application.

    3.6 The Provider will never:
      a) connect or otherwise provide health data to or from Google Ads, Facebook Ads, Adjust, Appsflyer, or other advertising SDKs, nor
      b) transfer health data to any marketing partners.

    3.7 Health data is never stored in unencrypted storage, on third-party devices without consent, in system logs, or in analytical tools, and this data is never used for further training of any models or for other improvements to artificial intelligence functionalities. Health data and non-health data are always linked using an internal anonymized user ID to minimize any interference with the Customer's rights.

    3.8 Health data is processed only in the Provider's systems and is not transferred to other entities, with the exception of cloud service providers that meet the requirements of the GDPR and the conditions of individual APIs, and cases where the Customer actively links their account with the Provider to a third-party service.

    3.9 The user has the option at any time to turn off data synchronization, revoke consent to access health data in the device interface, and request the deletion of all synchronized data. The revocation is effective immediately and will stop further synchronization.

    3.10 The processing of health data may constitute an activity with an increased risk to the rights and freedoms of data subjects. The Provider has therefore conducted a data protection impact assessment (DPIA) in cases where:
      a) a large set of health data is processed,
      b) profiling or automated analysis takes place,
      c) the processing is carried out systematically and repeatedly.
    The customer is informed that DPIA is an internal process whose purpose is to ensure that processing is carried out securely, in accordance with the GDPR and using appropriate technical and organizational measures.

    3.11 However, the provider implements technical and organizational measures, including in particular:
      a) encryption of data during transmission,
      b) encryption of data stored in the database,
      c) strict control of access to data,
      d) access audit logs,
      e) separation of health data from non-health data,
      f) regular rotation of synchronization API tokens.
  4. COMMON PROVISIONS ON PROCESSING
    4.1 The Provider may entrust the processing of data to a processor within the scope of the personal data processing activities described above. The processing of personal data by third parties may be governed by their own terms and conditions. The Customer agrees that the Provider may transfer personal data to processors if this is necessary to fulfill the above-mentioned purposes of data processing. Processors entrusted by the Provider with the processing of personal data must meet high standards of protection and will always handle the data within the limits of the GDPR and this Policy.

    4.2 The Provider will always make every effort to prevent the unauthorized processing of personal data by other persons, but is not liable to the user or other data subjects for any damage caused by the unauthorized processing of personal data by a third party.

    4.3 Emails sent to Customers in connection with the sale of goods and the provision of Services are not considered unsolicited commercial communications within the meaning of Act No. 40/1995 Coll. on Advertising and Act No. 480/2004 Coll. on Certain Information Society Services. However, the Customer expressly agrees, within the meaning of Section 7(2) of Act No. 480/2004 Coll., on certain information society services and on amendments to certain acts (Act on Certain Information Society Services), as amended, to the sending of Commercial Communications by the Provider to the Customer's email address
    or telephone number.

    4.4 If the Provider becomes aware of a security risk related to personal data that affects the Customer, the Provider shall notify the Customer of this fact without undue delay.

    4.5 The Provider shall provide the Customer with cooperation and legal assistance in claiming damages from the responsible processors in the event of a personal data leak or other event leading to loss. However, the Provider is not responsible for the incorrect procedures of the processors.

    4.6 The Customer hereby confirms that the personal data provided is true, accurate, and relates exclusively to the Customer, or that they have provided data whose use does not violate the rights of third parties. The Customer is obliged to always inform the Provider of any changes to their personal data so that only current and complete data is processed.

    4.7 Personal data will be processed electronically in a non-automated manner.

    4.8 Anonymized personal data (which is no longer considered personal data within the meaning of the GDPR) may also be processed by automated means. However, the Customer or other data subjects will not be subject to individual automated decision-making within the meaning of Article 22 of the GDPR.
  5. CUSTOMER RIGHTS IN RELATION TO PERSONAL DATA
    5.1 The customer may exercise their rights under the GDPR at any time by sending an email to mifkova@smpl.cz. The provider will endeavor to resolve requests relating to the customer's personal data as soon as possible, but no later than within 30 days. The customer's rights include:
      a) an explanation of whether and what personal data is being processed, and, if applicable, to request the Provider to disclose it;
      b) correction of personal data if there is concern that some of it is inaccurate or missing;
      c) restriction of processing if there is concern that the Provider is processing more data than is necessary;
      d) erasure of personal data, whereby the Provider will comply with the request provided that there is no other legal reason for further processing of personal data;
      e) issuing a copy of personal data processed by automated means on the basis of the Provider's consent or in connection with the fulfillment of the Provider's contractual obligations, in a machine-readable format;
      f) temporary freezing of data processing operations for the purposes of the Provider's legitimate interest;
      g) lodging a complaint directly with the Office for Personal Data Protection (www.uoou.cz) or another competent national data protection authority if the Customer believes that the Provider is processing personal data in violation of these Principles or legal regulations.

    5.2 As mentioned above, the Customer may exercise their rights against the Provider in several different ways. Since the Provider uses third-party interfaces (APIs) supplied by device manufacturers or platforms that enable the synchronization of health data, Customers may request that specific security and operational conditions be met, in particular:
      a) minimizing the scope of synchronized data to only the data necessary for the functionality of the service,
      b) encryption of data during transmission and storage,
      c) clear separation of health data from other data,
      d) keeping audit records of data access,
      e) the ability to completely delete data at the User's request,
      f) preventing any marketing use of health data,
      g) regular checking of access tokens and their automatic expiration,
      h) restriction of access to authorized personnel only.
  6. FINAL PROVISIONS
    6.1 The Provider is entitled to unilaterally amend these Principles. The new version of the Principles shall become effective upon publication on the Website. A Customer who has a contractual relationship with the Provider governed by these Principles at the time of the change will receive a notification of the change in the Principles from the Provider at the contact email address provided by the Customer, if known to the Provider.

    6.2 All legal relationships between the Provider and the Customer arising from these Principles are governed by the applicable law of the Czech Republic. All disputes arising between the Provider or the Customer from these Principles or in connection with them shall be resolved before the competent civil court in the Czech Republic.

    6.3 If the relationship established by the Agreement contains an international (foreign) element, the choice of law under the previous sentence does not deprive the Customer – Consumer of the protection afforded to them by the provisions of the legal order from which it is not possible to contractually deviate, and which, in the absence of a choice of law, would otherwise apply pursuant to the provisions of Article 6(1) of Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law
    applicable to contractual obligations (Rome I).

    6.4 If any provision of the Principles is or becomes invalid or ineffective, it shall be replaced by a provision whose meaning is as close as possible to that of the invalid provision. The invalidity or ineffectiveness of one provision shall not affect the validity of the other provisions of these Principles.

    6.5 These Principles shall take effect on the date of their publication.

In Prague on 21.11.2025

EXPLICIT CONSENT FOR PROCESSING HEALTH AND ACTIVITY DATA
  1. Scope of the Explicit Consent
    By granting explicit consent, the User permits the Provider to access and process the specific categories of health and activity data listed below, solely for the purposes described in this Policy. No data is accessed without the User’s prior opt-in. Categories of data: - Heart Rate Data: resting heart rate, average heart rate, maximum heart rate, HRV. - Steps and Activity Data: steps taken, distance, calories burned, activity minutes. - Sleep Data: sleep duration, sleep stages, sleep-cycle metrics. - Workout and Training Data:
    running, walking, cycling, recorded activities. - Additional Health Indicators (device-dependent): SpO, stress index, respiratory rate.
    Only categories selected by the User are accessed.
  2. Purpose of Processing Data
    Data is processed exclusively for:
    - personalized analytics, insights, summaries,
    - trend visualization,
    - personalized recommendations,
    - synchronization with devices, ensuring technical operation.
    No marketing, advertising, profiling, or behavioural targeting.
  3. Voluntary Nature of Consent
    Consent is voluntary; features requiring health data may not function without it.
  4. Withdrawal of Consent
    Users may withdraw consent anytime by disabling sync, revoking permissions in device settings, or contacting the Provider. Withdrawal:
    - does not affect prior lawful processing,
    - immediately stops sync,
    - triggers deletion/anonymization of existing data where legally possible.
  5. Data Retention
    Data is retained only for the duration of consent, max 5 years unless shorter requested or required by law. Irreversibly anonymized or deleted when no longer needed.
  6. Restrictions on Sharing and Disclosure
    The Provider does not:
    - sell data,
    - share with advertisers,
    - disclose for commercial purposes.
    Data is shared only with:
    - services explicitly connected by the User,
    - GDPR compliant technical service providers.
  7. Security Measures Includes:
    - encryption in transit and at rest,
    - access control,
    - secure token management,
    - audit logs,
    - data minimization and strict separation.
  8. Transfers Outside the EU/EEA
    The Provider stores all data exclusively within the EEA. API providers (Apple, Google, Garmin, Fitbit, Samsung, Xiaomi) may process data per their infrastructure and SCCs. The Provider itself initiates no transfers outside the EEA.
  9. Legal Basis
    Explicit consent per Article 6(1)(a) GDPR and Article 9(2)(a) GDPR.
  10. Rights of the User
    Users may exercise all rights described in the Provider’s Privacy Policy, including access, rectification, deletion, restriction, and portability.
  11. Record of Consent
    Provider maintains timestamp, chosen categories, consent methods, and withdrawal records.
  12. Effect of Declining Consent
    If consent is not granted:
    - no health data is collected,
    - no sync occurs,
    - features dependent on health data are disabled; others remain available.
REQUIRED EXPLANATORY TEXTS


App Review Information – Purpose of Health Data Access

This app accesses health and activity data exclusively to provide users with personalized analytics, insights, and activity summaries. Data such as steps, heart rate, sleep patterns, and activity metrics are used only to generate visualizations, analytics, and recommendations that help users understand their own physical activity and wellness trends.

The app does not use health data for advertising, marketing, profiling, or selling data to third parties.

Health data is never shared with advertisers, analytics partners, or any third-party service not explicitly authorized by the user.

Users must grant explicit opt-in consent before any health data is read or processed. The app also allows users to withdraw this consent at any time.

Apple-Specific Data Use Description (HealthKit)

This app uses HealthKit data (such as steps, heart rate, sleep, and activity metrics) to provide personalized insights, trend analysis, and wellness tracking. Health data is used only to display analytics to you and is never used for advertising, marketing, or shared with third parties.

Google Play Data Safety & Health Data Access Declaration

This app collects and processes health and fitness data from the user’s connected device solely to provide personalized analytics and to visualize activity trends. We do not share health data with any third parties, do not use it for advertising or marketing, and never sell any health information. Users can disable synchronization or withdraw consent at any time.


Full Unified Statement

  • Health and fitness data is accessed only after explicit user permission (opt-in).
  • Only data categories that the user selects are read (no unrequested data is collected).
  • Health data is used only to provide analytics, insights, summaries, and trend visualizations.
  • No health or activity data is used for advertising, marketing, personalization of ads, or tracking.
  • Health data is never shared, sold, or disclosed to third parties except services explicitly connected by the user.
  • Health data is encrypted in transit and at rest.
  • Users may revoke permissions or request deletion of their health data at any time.
  • Revoking permission immediately stops further synchronization.
  • Health data is not combined with third-party advertising identifiers or analytics systems.

Napište nám zprávu

Volitelné
Děkujeme za zprávu! Brzy se vám ozveme nazpět.
Ups! Něco se pokazilo. Zkuste to, prosím, znovu nebo nás kontaktujte napřímo.