Data Privacy Policy

The protection of your personal data is especially important to us. Health and fitness data are at the heart of our program — and we know they are among the most sensitive information you can share.That’s why data protection has been a priority at CHIRAYOU from the very beginning: we process your data exclusively within the EU, under medical responsibility, and in line with the highest security standards.

What CHIRAYOU is about

CHIRAYOU is a physician-led preventive health program.We regularly collect relevant health data, evaluate it, and discuss it with you—digitally, personally, and preventively.The goal: to detect changes early, understand your health, and strengthen it in a targeted way.To ensure you can share this data with confidence, we have embedded data protection deeply into our system—technically, organizationally, and medically.

Controllers within the meaning of the GDPR

CHIRAYOU works with licensed physicians who provide medical consultations within the program. CHIRAYOU and the respective physicians are joint controllers within the meaning of Art. 26 GDPR. They jointly determine the purposes and means of processing personal data.
Primary data protection responsibility lies with CHIRAYOU GmbH, Hauptstraße 457, 53639 Königswinter, Germany, Email: privacy@chirayou.com.
Our partner physicians are additionally bound by medical confidentiality (Section 203 of the German Criminal Code, StGB). A summary of the key contents of the joint controller arrangement under Art. 26 GDPR is available from us upon request.

Data we collect

Personal information: name, date of birth, gender, contact details.
‍Health and fitness data: heart rate, sleep quality, activity and stress data, vital signs, blood and laboratory values.
‍Data relating to health-relevant behavior: information on nutrition, sleep, activity, tobacco and alcohol consumption.
‍Communication data and conversation content:With your prior explicit consent, video consultations may be recorded for quality assurance or training purposes.Such recordings are used exclusively for the stated purpose and subsequently anonymized.
‍Technical data: IP address, device information, browser type, app usage behavior, cookies (if you consent).

Purpose of processing

We process your data solely to provide you with physician-led preventive services and to operate our systems securely and in a user-friendly manner.

This includes in particular:

Creation and medical evaluation of your health data,
Provision of individual reports and recommendations,
Organization and conduct of medical consultations,
Anonymized evaluation for quality assurance and further development of our services,
Communication about technical matters, appointments, and user feedback.

The legal bases for processing are:

Art. 6(1)(b) GDPR (performance of a contract),
Art. 9(2)(h) GDPR (health care by medical professionals),
Art. 6(1)(a) GDPR (consent, e.g., for recordings).

Joint controllership (Art. 26 GDPR)

CHIRAYOU and the participating physicians jointly determine the purposes and scope of processing personal data.

Responsibilities are clearly allocated:

CHIRAYOU is responsible for IT security, data hosting, technical administration, fulfillment of data subject rights, and communication with supervisory authorities.
The physicians are responsible for the substantive medical consultation, medical assessment, and documentation of the consultations.
Both parties commit to high data protection standards, confidentiality, and secure technical procedures.

Requests regarding data protection rights can be addressed to CHIRAYOU; we will coordinate a response together with the respective physician.

Data sharing

Your data is not sold.

Data is only shared where necessary and lawful:

with physicians acting as part of the joint controllership with CHIRAYOU,
with laboratories for analysis of blood and biomarker samples,
with technical service providers (hosting, video services, analytics) who are strictly bound by contract to confidentiality,
with authorities where we are legally obliged to do so.

Retention and deletion

Data is stored only for as long as necessary to provide our services or to fulfill statutory retention obligations.After your membership ends or you withdraw consent, your data will be deleted or anonymized unless legal reasons prevent this.You can view your data or request deletion at any time via your user account.

Data security

CHIRAYOU protects your data through modern technical and organizational measures:

SSL/TLS encryption for data transmissions,
Two-factor authentication for physicians,
Access logging,
Secure storage within the EU,
Regular security and data protection training.

All systems are operated exclusively on servers within the European Union.

Your rights

You have the following rights at any time:

Access to the personal data we hold about you,
Rectification of inaccurate data,
Erasure (“right to be forgotten”),
Restriction of processing,
Objection to certain processing activities,
Data portability,
Withdrawal of consent with effect for the future.

To exercise your rights, simply email privacy@chirayou.com.

Recordings

Recordings of teleconsultations are made only with your prior consent. The data is used solely for quality assurance and training purposes and anonymized once the purpose ceases to apply. No personal evaluation is performed.

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy, e.g., due to legal changes or new features on our platform. We will inform you in good time by email or within the app about any material changes.

Responsible contact:

CHIRAYOU GmbH
‍Hauptstraße 457,
53639 Königswinter,
Germany
Email: privacy@chirayou.com
‍
‍Data protection coordination (Art. 26 GDPR): Coordination of joint data protection requests is handled by CHIRAYOU.
Requests are processed in accordance with the joint controllership arrangement.

Last updated: October 26, 2025