ZenZen Privacy Notice

Effective Date: 01.12.2025

1. Introduction

ZenZen Diabetes Support UG (haftungsbeschränkt), located at Richard Sorge Straße 27, 10249 Berlin, Germany, ("ZenZen," "we," "us," or "our") is committed to protecting your personal data. As the data controller under the General Data Protection Regulation (GDPR), we determine the purposes and means of processing your personal data ("User Data").

This Privacy Notice outlines how we collect, use, and protect your User Data when you use our products and services. Additional information may be provided within our products to supplement this notice. ZenZen processes personal data in full compliance with the General Data Protection Regulation (GDPR) and all other applicable data protection laws.


2. Legal Basis for Processing

Our processing of your personal data is based on:

  • Consent: For processing health-related data and for marketing purposes.
  • Contractual Necessity: To fulfill our obligations in providing our services.
  • Legal Obligations: Compliance with applicable laws and regulations.

3. Categories of Personal Data We Process

3.1. Identity Information

  • Name (first name, last name, initials)
  • Date of birth
  • Gender
  • Contact details (email address, phone number)

3.2. Health Data

  • Blood glucose levels
  • Carbohydrate intake
  • Physical activity
  • Sleep patterns
  • Pregnancy-related information

3.3. Usage Data

  • App usage statistics
  • Interaction with app features
  • Device information (e.g., device ID, operating system)
  • IP address (collected once at registration to determine regional server location)

3.4. Communication Data

  • Messages sent through the app
  • Feedback and survey responses

We follow the GDPR principle of data minimisation. This means we only collect and process the personal data that is strictly necessary for operating, maintaining, and improving the ZenZen service.

4. Purposes of Data Processing

4.1. Necessary Processing of Personal Data

Required to provide our services, including:

  • Account creation and management
  • Personalized support and recommendations
  • Monitoring and improving app functionality

Without this processing, we cannot offer our services.

4.2. Processing for Product Improvement (Optional)

With your consent, we use your data to:

  • Develop algorithms for therapy management
  • Enhance product features
  • Conduct research and analysis

This processing is optional.

4.3. Processing for Marketing Purposes

With your consent, we may send information about our products and services, notify you of new features or updates, or provide offers from partner organizations.

Marketing consent is optional and collected separately from other consents. You can use ZenZen without agreeing to marketing communications. You may withdraw your marketing consent or opt out of marketing messages at any time via your in-app settings or by contacting support@zenzen.me.


5. Data Sharing and Transfers

We may share your personal data with:

  • Service Providers: For hosting, analytics, and app support
  • Partner Platforms: If you choose to link your account
  • Authorities: When required by law or to protect rights
  • Regional Data Storage: Your data is stored on servers located in your geographic region. At registration, we detect your location via IP address to determine whether your data will be stored in the European Union (EU servers) or United States. Your data remains in the assigned region and is not transferred between regions during normal operations.

Our products and services may contain links to third-party websites or services. Once you leave ZenZen’s environment, their own privacy policies apply, and we are not responsible for how external providers process your personal data.

We ensure data protection compliance when sharing data.

6. Data Security

We implement strong technical and organizational safeguards, including:

  • Encryption of data during transmission
  • Secure storage systems
  • Access control and authentication

Your personal data is stored on secure infrastructure, which uses industry-standard encryption technologies, including encryption at rest and in transit. All storage systems comply with internationally recognised security standards and undergo regular audits.

Data Breach Response

In the event of a personal data breach, ZenZen follows a structured response process designed to protect users and comply with legal obligations.

Our procedure includes:

Detection: Identifying and assessing potential security incidents through automated monitoring and internal reporting channels.

Containment: Taking immediate measures to limit the impact, secure affected systems, and prevent further unauthorized access.

Assessment: Evaluating the nature and scope of the breach, including whether personal data has been compromised.

Notification: When required by law, notifying the relevant supervisory authority within 72 hours and informing affected users without undue delay.

Prevention: Implementing corrective actions and improvements to prevent future incidents.

AI Monitoring and Maintenance

ZenZen uses AI-based features, including automated messaging and in-app conversational support. These systems are monitored on a regular basis to ensure accuracy, safety, and performance. Our internal team reviews model behaviour, system outputs, and performance logs as part of ongoing maintenance. Any issues are addressed through updates, retraining, or manual corrections. AI outputs are not independently verified in real time and should not be relied upon as medical advice.


7. Data Retention

We retain data only as long as necessary for service provision or legal compliance. Once no longer needed, data is securely deleted or anonymized.

8. Your Rights

Under GDPR, you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase data
  • Restrict processing
  • Port your data
  • Object to processing
  • Withdraw consent at any time

Contact us at support@zenzen.me to exercise these rights.ZenZen responds to requests to exercise your data protection rights without undue delay and, in any event, within two months, as permitted under the GDPR.

9. International Data Transfers

We store your data regionally based on your location at registration:

  • EU Users: Data is stored on servers located in the European Union (europe-west1, Germany) and remains within EU borders
  • US Users: Data is stored on servers located in the United States (us-central1) and remains within US borders
  • Your regional assignment is determined automatically via IP-based geolocation at registration and cannot be changed. Data is not transferred between regions during normal operations.

For service providers that may access data (such as analytics or support tools), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses where applicable.

10. Changes to This Privacy Notice

We may update this Privacy Notice periodically. Material changes will be communicated, and consent obtained if necessary. The latest version is always available in the app and on our website.

11. Country-Specific Provisions

11.1. Germany

  • Health data is processed based on explicit consent under Article 9(2)(a) GDPR.
  • Personal data may also be processed to comply with German legal obligations, such as those under medical device, commercial, or tax law.
  • You may lodge a complaint with the data protection authority of your federal state.

11.2. United States

Patient Information

In accordance with the Health Insurance Portability and Accountability Act (HIPAA), any use or disclosure of protected health information by ZenZen or its subcontractors is governed by the applicable service agreement and a Business Associate Agreement (BAA)executed between you and ZenZen.

California Residents – Your Rights under CCPA

If you are a California resident as defined by the California Consumer Privacy Act (CCPA):

  • Your rights are described in the California Supplemental Privacy Notice, including how to exercise those rights.
  • Under California Civil Code Section 1798.83, you may request details about our disclosure of personal data to third parties for direct marketing purposes.
  • To make such a request, please refer to the contact details provided in the California Supplemental Privacy Notice.

Data Storage for US Users

If you register from a United States location, your personal data and health information will be stored exclusively on servers located within the United States and will not be transferred to other jurisdictions during normal operations.

Minors

We are committed to protecting the privacy of children. We do not intentionally collect data from users under 13 years of age on our websites, apps, or services.If you are a parent or guardian of a child under 13 who has submitted information, please contact us at privacy@zenzen.me to request deletion of that data.

12. Contact Information

ZenZen Diabetes Support UG (haftungsbeschränkt)Richard Sorge Straße 2710249 Berlin, GermanyEmail: support@zenzen.mePrivacy Email (USA/Minors): privacy@zenzen.me