Privacy Policy

Effective date: April 2026. Version 1.4

1. Controller

BlueHabits GmbH
Grünstraße 15 c/o Mindspace
40212 Düsseldorf
Germany

Telephone: +49 (0)211 54266114
Email: info@bluehabits.ai
Website: https://www.bluehabits.app

Represented by the Managing Directors:
Arnd Jäger
Markus Meißner

2. Data Protection Officer

We have appointed a Data Protection Officer.

Marco Oevermann
Email: info@bluehabits.ai

3. General Information on Data Processing

We process personal data exclusively within the framework of the applicable data protection laws, in particular:

General Data Protection Regulation (GDPR)
Federal Data Protection Act (BDSG)
Telecommunications Digital Services Data Protection Act (TDDDG)

Personal data means any information relating to an identified or identifiable natural person.

4. Categories of Personal Data

Depending on how you use our services, we may process the following categories of personal data:

Registration and account data

Name
Email address
Username
Password

Profile data

personal goals
routines
preferences
voluntary profile information

Usage data

interactions with the app
progress data
frequency of use
feature usage

Device and access data

device type
operating system
IP address
app version
times of access

User content

posts
comments
messages or other content within the platform

Health or activity data

physical activity
training or routine goals
voluntarily provided health information

5. Purposes and Legal Bases of Processing

5.1 Visiting our Website

When accessing our websites (www.bluehabits.ai, www.bluehabits.app), the following data is processed automatically:

IP address
date and time
page/file accessed
referrer URL
browser type and operating system

Purpose:
Ensuring technical functionality and IT security.

Legal basis:
Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and stable operation).

Storage period:
Server log files are generally deleted after no later than 7 days.

5.2 Registration and Account Use (App)

As part of using our app, we process:

registration and account data
profile data
usage data
device and access data
user content
health or activity data

Purpose:
Performance of the contract, provision of personalized features, ensuring system security.

Legal basis:
Art. 6 para. 1 lit. b GDPR (performance of a contract).

Storage period:
Until the account is deleted, unless statutory retention obligations apply.

5.3 Personalization and AI-based Recommendations (Profiling)

Our app uses algorithmic procedures to analyze user behavior in order to generate personalized recommendations.

This includes an assessment of certain usage parameters (e.g. activity patterns, routine frequency, progress developments).

This constitutes profiling within the meaning of Art. 4 no. 4 GDPR.

There is no solely automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR.

Purpose:
Improvement of the user experience and individualized adaptation of content.

Legal basis:
Art. 6 para. 1 lit. b GDPR (performance of a contract)
where applicable, Art. 6 para. 1 lit. a GDPR (consent), if additional analysis features are activated.

You may object to processing for profiling purposes at any time in accordance with Art. 21 GDPR.

5.4 Processing of Health-related Information

If users voluntarily provide information on physical activity, fitness goals, or similar topics, this may constitute health data within the meaning of Art. 9 GDPR.

Processing takes place exclusively on the basis of explicit consent in accordance with Art. 9 para. 2 lit. a GDPR.

This consent may be withdrawn at any time with effect for the future.

5.5 Location Data

If app functions use location information, this will only be processed if you have granted the relevant permissions on your device.

Location data is processed exclusively for the purpose of providing location-based app features, for example to analyze activities or improve personalized recommendations.

Legal basis

Art. 6 para. 1 lit. b GDPR (performance of a contract), insofar as processing is necessary to provide the app features you use.

Where corresponding device permission is required, processing is additionally based on your consent pursuant to Art. 6 para. 1 lit. a GDPR.

You may withdraw permission for location data at any time via your device settings.

5.6 Use of the BlueHabits Mentor (AI-based Dialogue Function)

The BlueHabits Mentor is an AI-based dialogue function that allows users to interact with the app in natural language.

In particular, the following data is processed:

content of user inputs (e.g. questions, answers, descriptions)
individual goals, routines, and barriers
progress and usage data
context-related information from app usage

Processing is carried out in order to:

provide personalized recommendations
provide motivational support communication
analyze individual behavioral patterns
support users in implementing routines

To improve the user experience, the BlueHabits Mentor may access previous interactions and stored user data in order to generate context-based responses.

User-entered content may be processed in order to:

maintain dialogue context
improve the quality of responses
personalize the user experience

Use of this content for training or analysis purposes takes place exclusively:

in anonymized or pseudonymized form
and only insofar as legally permissible

Legal basis

Art. 6 para. 1 lit. b GDPR (performance of a contract)

Insofar as sensitive content is processed, this is additionally based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and, where applicable, Art. 9 para. 2 lit. a GDPR.

If users enter health-related or similarly sensitive information when using the BlueHabits Mentor, such processing takes place exclusively on the basis of explicit consent.

The content generated by the BlueHabits Mentor does not constitute automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR.

The content provided by the BlueHabits Mentor serves solely for general support and does not constitute medical, therapeutic, or other professional advice.

5.7 Third-party Integrations

Our services may allow integrations with external platforms or devices, for example:

fitness tracking devices
health platforms
other applications or platforms

If you activate such an integration, data may be exchanged between the services insofar as this is necessary to provide the respective feature.

Such an integration is activated exclusively on your own initiative.

Legal basis

Art. 6 para. 1 lit. b GDPR (performance of a contract), insofar as the integration is necessary to provide the requested feature.

If you voluntarily activate an external integration, data transfer is additionally based on your consent pursuant to Art. 6 para. 1 lit. a GDPR.

The privacy policies of the respective third-party provider apply to its processing of personal data.

5.8 Content Provided by Users

If you publish or share content within our services (e.g. posts, comments, or other content), this information is processed to provide the relevant function and enable interaction between users.

Depending on your privacy settings, such content may be visible to other users within the platform.

Legal basis

Art. 6 para. 1 lit. b GDPR (performance of a contract), as processing is necessary to provide you with the platform functions for publishing and interaction.

Insofar as content is published voluntarily, processing may additionally be based on Art. 6 para. 1 lit. a GDPR (consent).

5.9 Contacting Us

When contacting us by email or form:

Legal basis:
Art. 6 para. 1 lit. b GDPR (pre-contractual measures)
or Art. 6 para. 1 lit. f GDPR.

Data is stored until the inquiry has been completed.

5.10 Analytics and Statistics Tools

We use privacy-friendly analytics tools.

Where analytics cookies are set, this is done exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 TDDDG.

6. Cookies and Consent Management

We use:

technically necessary cookies (legal basis: Section 25 para. 2 TDDDG)
optional analytics or marketing cookies (only with consent; legal basis: Section 25 para. 2 TDDDG in conjunction with Art. 6 para. 1 lit. f GDPR)

Consent may be withdrawn at any time via our consent management tool.

7. Recipients and Processors

We use service providers in the areas of:

hosting
cloud infrastructure
analytics
email communication
payment processing

We have entered into data processing agreements with all service providers in accordance with Art. 28 GDPR.

8. Transfer to Third Countries

If personal data is transferred to third countries, this is only done:

if an adequacy decision exists (Art. 45 GDPR), or
using standard contractual clauses (Art. 46 GDPR).
If data transfers to the USA take place, we rely on the EU-US Data Privacy Framework or on standard contractual clauses.

9. Storage Period

We store personal data only for as long as this is necessary for therespective processing purposes or as long as statutory retention obligations apply.

The specific storage period depends in particular on:

the purpose of the respective data processing,
the duration of use of our services,
statutory retention periods (e.g. under commercial or tax law), as well as
legitimate interests in the enforcement or defense of legal claims.

Account data and profile data are generally stored for as long as a user account exists. After the account is deleted, the associated personal data is deleted unless statutory retention obligations or legitimate interests in further storage apply.

Statutory retention obligations may arise in particular under commercial and tax law provisions (e.g. Sections 257 HGB, 147 AO) and generally amount to six or ten years.

If data is no longer required for the stated purposes and no statutory retention obligations apply, it will be deleted.

Where possible and legally permissible, data may be anonymized instead of deleted. In this case, the personal reference is permanently removed so that identification of individual persons is no longer possible.

Legal basis:

The processing of personal data for the purpose of anonymization is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in analytics, research, and the further development and improvement of our services).

After anonymization has taken place, the data no longer constitutes personal data within the meaning of the General Data Protection Regulation.

Anonymized data may in particular be used for:

statistical evaluations
scientific analyses
improving our services
further development of algorithmic systems and functions

Identification of individual persons is not possible in this context.

10. Data Security

We implement appropriate technical and organizational measures in accordance with Art. 32 GDPR, in particular:

TLS encryption
access restrictions
role-based authorization concept
pseudonymization
regular security reviews

11. Data Export and Data Portability

You have the right to request your personal data within the scope of the right to data portability pursuant to Art. 20 GDPR.

12. Research and Statistical Analysis

We may use anonymized or aggregated data to support scientific analysis or research in the fields of health, behavior, or well-being.

Identification of individual persons is excluded.

Legal basis:

Art. 6 para. 1 lit. f GDPR (legitimate interest in the analysis and further development of our services).
Where possible, we use anonymized or aggregated data.

13. Improvement of our AI Systems

We may use personal data to improve the quality, functionality, and performance of our AI-based systems, including the BlueHabits Mentor.

This includes in particular:

analysis of usage patterns
optimization of response quality
further development of algorithmic models

Where possible, this is carried out on the basis of:

anonymized data
aggregated data
pseudonymized data

Legal basis

Art. 6 para. 1 lit. f GDPR (legitimate interest in the further development of our services)

14. Corporate Transactions

In the event of a merger, acquisition, or restructuring, personal data may be transferred as part of the transaction.

Legal basis:

Art. 6 para. 1 lit. f GDPR (legitimate interest in carrying out corporate transactions).

15. Use by Minors

Our services are generally intended for persons aged 16 and older.

We do not knowingly collect personal data from persons under 16 years of age.

16. Use in the Context of Corporate Health Management (B2B)

BlueHabits may be made available to companies as part of Corporate Health Management (CHM). In this case, the following additional data protection provisions apply:

16.1 Roles of the Parties Involved

If the app is provided as part of a corporate program, a distinction must generally be made:

BlueHabits GmbH is the controller within the meaning of Art. 4 no. 7 GDPR for the processing of users’ personal data within the app.
The respective company (employer) is the controller for the organization and implementation of its CHM program.

There is no joint controllership pursuant to Art. 26 GDPR unless the purposes and means of data processing are jointly determined.

16.2 No Transfer of Individual User Data to Employers

Personal data of individual users (e.g. activity behavior, routines, progress, health information) is not transferred to the employer.

Employers receive only:

aggregated, anonymized statistics
no conclusions about individual employees
no personal performance or behavior data

Identification of individual persons is excluded.

16.3 Voluntary Nature of Use

Use of the app by employees is voluntary.

Participation in the CHM program is not a prerequisite for the employment relationship and has no consequences under employment law.

If special categories of personal data are processed (e.g. health-related information), this is done exclusively on the basis of explicit consent pursuant to Art. 9 para. 2 lit. a GDPR.

This consent may be withdrawn at any time.

16.4 Employers as Processors (Only in Special Cases)

If a company processes personal data on behalf of BlueHabits (e.g. in the context of technical integration), this is done exclusively on the basis of a data processing agreement pursuant to Art. 28 GDPR.

16.5 Protection Against Performance and Behavior Monitoring

BlueHabits is not designed and may not be used to carry out individual performance or behavior monitoring of employees.

Such use by the company is contractually excluded.

16.6 Data Transfer Within the Company

BlueHabits receives from the company only the data required for registration (e.g. business email address), insofar as the company organizes centralized registration.

No further personal data is transferred from the employer to BlueHabits unless this has been expressly agreed.

17. Your Rights

You have the following rights:

access (Art. 15 GDPR)
rectification (Art. 16 GDPR)
erasure (Art. 17 GDPR)
restriction of processing (Art. 18 GDPR)
data portability (Art. 20 GDPR)
objection (Art. 21 GDPR)
withdrawal of consent given (Art. 7 para. 3 GDPR)

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

Competent authority for North Rhine-Westphalia:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia.

18. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy. The version published from time to time shall apply.

Privacy Preference Center

Privacy Preferences

We use cookies and similar technologies to ensure the proper functioning of our website, to enhance your user experience, and to analyze how our services are used.

Essential cookies are required for basic functionality and cannot be disabled. In addition, we use analytics tools such as Google Analytics to better understand user behavior and improve our product. These technologies may process data such as your IP address, device information, and interaction with our website.

You can choose which categories you want to allow. Your consent is voluntary and can be changed or withdrawn at any time with effect for the future.

Essential

Required
These cookies are necessary for the basic functionality of the website and cannot be disabled. They ensure essential features such as page navigation and access to secure areas.

Analytics

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We use Google Analytics to improve our website and services.