D4L Collect app privacy policy
With the D4L Collect app provided by D4L data4life gGmbH (in the following “Data4Life”, “we”, “our” and “us”), you can engage in scientific studies. It's important to note that Data4Life’s offerings do not include diagnostic or medical services and explicitly do not replace treatment or advice from a doctor. The following information describes how Data4Life handles your personal data.
1. Controller and data protection officer
The controller pursuant to Art. 4 para. 7 of the General Data Protection Regulation (GDPR) for the mobile app is
D4L data4life gGmbH
c/o Digital Health Cluster (DHC) im Hasso-Plattner-Institut (HPI)
Rudolf-Breitscheid-Straße 187
14482 Potsdam
Germany
Email: we@data4life.help
You can also contact our data protection officer (DPO) by email dataprotection@data4life.help or by sending a letter to the controller’s postal address (to the attention of "the data protection officer").
2. Your rights
You have the following rights regarding personal data concerning you:
- Right to access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR; “Right to be forgotten”)
- Right to limitation of processing (Art. 18 GDPR)
- Right to object to the processing (Art. 21 GDPR)
- Right to data transferability (Art. 20 GDPR)
You also have the right to lodge a complaint regarding our processing of your personal data with a supervisory authority in the member state where you reside, work, or where the alleged infringement occurred if you believe that the processing of your personal data is unlawful. The supervisory authority responsible for us is:
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht
Stahnsdorfer Damm 77
14532 Kleinmachnow
Germany
Telephone: 0049 (0)33203/356-0
Telefax: 0049 (0)33203/356-49
Email: poststelle@lda.brandenburg.de
If you have given us consent to process your data, you can revoke it at any time, affecting future processing. The lawfulness of processing your data until revocation remains unaffected.
You can contact us anytime using the communication channels listed in Section 1 above or the contact details provided in our imprint to exercise your rights or for other data protection concerns.
3. Supplementary note about your right of objection
Please be aware that if your personal data is processed based on legitimate interests within the scope of the balancing of interests according to Article 6(1)(f) GDPR, you have the right to object to such processing at any time. You can express your objection by contacting us using the channels listed in Section 1 above or the contact details in our imprint.
4. Purposes and legal bases of the processing of your personal data
Data4Life processes your personal data solely to enable participation in scientific research studies conducted by external partners.
a. Usage of the mobile app
When you use the app, certain data are automatically transmitted to the web servers of our research partners (scientific or medical research organizations), for example:
- Device IP address
- Date and time of the request
- Amount of data transmitted
- Description of the used client
The processing of this data, which contains a (pseudonymized) personal reference via the IP address, is technically necessary and is carried out in order to provide you with the offering. The legal basis for the aforementioned processing is Art. 6 para. 1 sentence 1 lit. b GDPR (processing is necessary for the fulfillment of a contract with the data subject).
The described data is stored in log files for seven days by our research partners to safeguard their infrastructure security and assist law enforcement in case of cyberattacks, such as distributed denial-of-service (DDOS) attacks. In case of an attack, log data is retained for evidentiary purposes until the incident is resolved. The legal basis for this processing is Article 6(1)(f) GDPR (processing is necessary for the legitimate interests pursued by the controller), aiming to ensure adequate security and stability of the web servers.
When installing the app for the first time, a passphrase consisting of 12 randomly generated words is created and securely stored within the app. This passphrase serves as your technical identity within the system and is crucial for utilizing the app's functions. It's imperative that you safeguard this passphrase in a secure location.
In the event of switching devices or re-installation of the app, you'll need to provide the passphrase to restore your account. Losing your passphrase means you need to create a new account and thereby generate a new identity in the system. As we do not retain any knowledge of your passphrase, we can not help you recover it once lost.
The legal basis for the aforementioned processing is Art. 6 para. 1 sentence 1 lit. b GDPR (processing is necessary for the fulfillment of a contract with the data subject).
b. Registration for scientific studies
You can register for scientific studies using the app.
If you want to participate in public studies, you can select them from the list of public studies obtained from our research partners.
If you have been invited to a closed study, you will have received a QR code or a participation code from the respective study leader. You can participate in the respective closed study by scanning the QR code or entering the participation code.
Each study is unique, so you will find the details regarding the processing of your personal data in the respective study's privacy policy. Your consent to participate in a study may be required. The privacy policy and consent will be provided to you in writing or digitally within the app before you join the study. The study leaders are responsible for the content of the privacy policy and consent.
After registering for a study, you can access the offer and content of the study through our app and utilize its functionalities.
You can leave studies at any time without providing reasons.
The legal basis for the aforementioned processing is Art. 6 para. 1 sentence 1 lit. b GDPR (processing is necessary for the fulfillment of a contract with the data subject).
c. Health-related data and research studies
The D4L Collect app may be used by the research partners defined above to conduct studies involving health-related data.
Depending on the research partner, health or study data entered or recorded through the app are either
- transmitted directly to the research partner's own systems, where Data4Life has no access, or
- processed by Data4Life solely on behalf of the research partner under a data-processing agreement, following the partner's documented instructions.
Such health-related data may include, for example, sensor or activity data (e.g. steps, heart rate, glucose levels), questionnaire responses, or other physiological measurements required by the study.
In all cases, Data4Life does not use study data for its own purposes, does not combine it with other data, and does not share it with third parties except as instructed by the research partner.
Each study provides its own consent form describing the nature and purpose of the research, the data collected, how they are handled, and how participants may withdraw.
d. Reporting an issue
You can report problems with the app using the built-in functionality.
When you report an issue, the following data is collected and sent to Data4Life:
Technical error information
Your free-text message
Optional: a screenshot of the app
Please be aware that our message and the screenshot may contain your personal data. Also the technical error information might contain data about your identity.
Reporting an issue is optional and helps us improve and further develop the app. By using the button to send the issue report you consent to Data4Life processing the above-mentioned data.
The legal basis for the aforementioned processing is Art. 6 para. 1 sentence 1 lit. a GDPR (processing based on the consent of the data subject).
You can withdraw your consent with effect for the future at any time by contacting the customer service by sending an email to we@data4life.help.
5. Receiving push notifications
The mobile app offers the functionality to use push services of the operating system manufacturer. These are short messages that can be displayed on the user's device display and with which the user is actively informed, for example, about new study activities. These messages will not contain any personal data.
In case of using the push service, a device token from Apple or a registration ID from Google is assigned. These are encrypted, pseudonymized device IDs that are disclosed to Apple or Google in order to “register” for receiving push notifications. The sole purpose of use is the provision of the push services. All notifications can be subsequently turned on or off in the settings of your device. The legal basis for the aforementioned processing is Art. 6 para. 1 sentence 1 lit. b GDPR (processing is necessary for the fulfillment of a contract with the data subject).
The messages are sent via the Google Firebase Cloud Messaging service, which is offered by Google, Inc. Mountain View, USA. Further information on Google Firebase Cloud Messaging can be found on the Firebase Cloud Messaging website and in the Google Privacy Policy.
⸻
Last updated: October 2025
