Datenschutzerklärung

Last updated: 16 April 2026

Controller

CheckupScout GmbH
Henkestraße 91, 91052 Erlangen, Germany
Email: info@checkupscout.de
Managing Directors: Timo Freitag, Christian Balzer

checkup.AI operates this shop and this website, including all related information, content, features, tools, products and services, in order to provide you as a customer with an individual shopping experience (the “Services”). checkup.AI is built on Shopify, which enables us to provide you with the Services. This Privacy Policy describes how we collect, use and share personal data when you visit, use or make a purchase or any other transaction using the Services, or otherwise communicate with us. If there is a conflict between our general terms and conditions and this Privacy Policy, this Privacy Policy takes precedence with regard to the collection, processing and sharing of your personal data.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you confirm that you have read this Privacy Policy and consent to the collection, use and sharing of your data as described in this Privacy Policy.

Scope of this Privacy Policy

This Privacy Policy applies to two separate services operated by CheckupScout GmbH:

  • The online shop and the website www.checkup.ai (based on Shopify). Here, personal data is processed for the purchase process, shipping, payment processing, as well as for marketing and communication purposes. The sections “What personal data do we collect or process?”, “How do we use your personal data?”, “How do we share personal data?”, “Relationship with Shopify” and “Payment processing” apply exclusively to the use of the shop and the website.
  • The checkup.AI app (available on the App Store and Google Play Store). The app operates fully anonymously. No personal contact data such as name, email address or telephone number is collected. The processing of app data is described exclusively in the section “Data protection in the checkup.AI app”.

No data is merged between these two services. Use of the app is possible independently of any shop account or purchase.

What personal data do we collect or process?

When we use the term “personal data”, we refer to information that identifies you or another person, or that can be directly linked to you. Personal data does not include information that is collected anonymously or that has been anonymised in such a way that identification or attribution to your person is not possible. Depending on how you interact with the Services, where you live and as permitted or required by applicable law, we may collect or process the following categories of personal data, including inferences drawn from this personal data:

  • Contact data including name, postal address, billing address, delivery address, telephone number and email address.
  • Financial data including credit card, debit card and financial account numbers, payment card information, financial account information, transaction details, payment method, payment confirmation and other payment details.
  • Account information including username, password, security questions, configurations and settings.
  • Transaction information including the items you view, add to your cart, place on your wish list or purchase, return, exchange or cancel, as well as your past transactions.
  • Communications with us including the information you provide when communicating with us, for example when you submit a request to customer support.
  • Device information including information about your device, browser or network connection, IP address and other unique identifiers.
  • Usage information including information about your interaction with the Services, including how and when you interact with or browse the Services.

Data protection in the checkup.AI app

The checkup.AI app allows users to assess their health using scientifically validated checks and to receive personalised recommendations. The app is provided as an employer benefit or directly via the App Store and Google Play Store, and operates fully anonymously.

1. No personal data

The app does not collect any personal contact data. We do not ask for your name, email address, telephone number or postal address. Identification of your person through use of the app is technically not possible — neither by us nor by your employer.

2. What data is processed in the app?

a) Health-related information that you voluntarily enter:

  • Age, gender, height, weight
  • Answers to health checks (e.g. nutrition, sleep, stress, physical activity)
  • Your personal health goals
  • A freely chosen display name (may be a pseudonym)

b) Anonymous user identifier (PAT token): On first launch, the app generates a random, anonymous identifier (Patient Access Token, PAT). This identifier is used solely to associate your check results with your device in our backend. It contains no personal information and cannot be linked to real identities.

c) Usage information: In order to continue the dialogue flow with the coach and to recognise completed checks, we store technically necessary usage data such as previously passed dialogue checkpoints and the status of individual checks.

d) Crash and performance data (Firebase Crashlytics): To ensure the stability and quality of the app, we use Firebase Crashlytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). In the event of errors, technical information such as crash logs, device type, operating system version and performance data is collected. This data is not linked to your identity and is not used for advertising purposes. Further information: https://firebase.google.com/support/privacy.

3. No tracking, no advertising

The app does not use any advertising networks, attribution tools or third-party SDKs to track user behaviour (e.g. no Facebook SDK, no Google AdMob, no AppsFlyer). No data is passed on to advertising networks or data brokers. The app does not use your data for advertising purposes.

4. No sharing with third parties

Your health data entered in the app is not shared with third parties. Your employer has no access at any time to individual health data or results. The technical processing is carried out by the following data processors, with whom contracts pursuant to Art. 28 GDPR are in place:

  • Railway Inc. (hosting, EU region)
  • Google Ireland Limited (Firebase Crashlytics)

5. Data storage and server location

All app data is stored encrypted on servers within the European Union. Transmission takes place exclusively via encrypted connections (HTTPS/TLS).

6. Medical device

The evaluation of the health checks is carried out by a certified medical device operated as a backend service, which uses scientifically validated algorithms. The app itself is a display system for the results. The app does not replace a visit to the doctor and does not provide medical diagnoses.

7. Legal bases

  • Processing of health data: Art. 9(2)(a) GDPR (explicit consent, obtained on first launch of the app).
  • Technically necessary usage and identifier data: Art. 6(1)(b) GDPR (performance of contract).
  • Crash and performance data: Art. 6(1)(f) GDPR (legitimate interest in app stability).

8. Deletion and your rights

You can reset your data at any time via the settings in the app. All stored health data is then irrevocably deleted. As the data is anonymous, access or rectification by us is technically only possible if you provide us with your PAT token. Further rights (withdrawal of consent, right to lodge a complaint) are described in the general section “Your rights and choices” and apply accordingly.

Sources of personal data

We may collect personal data from the following sources:

  • Directly from you. We collect data, among other things, when you create an account, access or use the Services, communicate with us or otherwise provide us with your personal data.
  • Automatically via the Services. We collect data, among other things, from your device or when you use our products or services or visit our website, as well as through the use of cookies and similar technologies. We use technically necessary cookies to enable basic shop functions (e.g. shopping cart, login). Non-essential cookies (e.g. for marketing or statistics) are only set with your consent. Further information can be found in our cookie policy.
  • From our service providers. We collect data, among other things, when we instruct service providers to enable certain technologies and when they collect or process your personal data on our behalf.
  • From our partners and other third parties.

How do we use your personal data?

Depending on how you interact with us or which of the Services you use, we may use personal data for the following purposes:

  • Provision, customisation and improvement of the Services. We use your personal data to provide the Services to you. This includes, among other things, the performance of our contract with you, processing your payments, fulfilling your orders, storing your configurations and the items you are interested in, sending notifications in connection with your account, creating, maintaining and otherwise managing your account, organising shipping, facilitating returns and exchanges, enabling you to leave reviews, and creating an individual shopping experience for you, for example by recommending products based on your purchases. This may also include the use of your personal data to better customise and improve the Services.
  • Marketing and advertising. We use your personal data for marketing and advertising purposes, for example to send marketing and advertising communications by email, SMS or post and to display online advertising for products or services for the Services or other websites, including based on items you have previously purchased or placed in your cart, as well as other activities relating to the Services.
  • Security and fraud prevention. We use your personal data to authenticate your account, to provide a secure payment and shopping experience, to detect, investigate or take action against potential fraudulent, illegal, unsafe or malicious activity, to protect public safety and to ensure the security of our Services. If you choose to use the Services and register an account, you are responsible for protecting your account login data. We strongly recommend that you do not share your username, password or other access data with other persons.
  • Communication with you. We use your personal data to provide you with customer support and effective Services, to respond promptly to your inquiries and to maintain our business relationship with you.
  • Legal reasons. We use your personal data to comply with applicable law or to respond to lawful procedural steps, including requests from law enforcement or regulatory authorities, to investigate or participate in civil investigations, potential or actual legal disputes or other adversarial proceedings, and to investigate potential violations of our terms or policies or to enforce the terms and policies.
  • We use analytics tools provided by Shopify to create aggregated statistics about user behaviour in our shop. No personal profiles are created in the process.

How do we share personal data?

Under certain circumstances, we may share your personal data for legitimate purposes in accordance with this Privacy Policy with third parties. Such circumstances may include the following:

  • At Shopify, these are vendors and other third parties who provide services on our behalf (e.g. IT management, payment processing, data analysis, customer support, cloud storage, fulfilment and shipping).
  • We share personal data with business and marketing partners who provide marketing services for you and display advertising to you. For example, we use Shopify to support personalised advertising with services from third parties based on your online activities at various merchants and websites. Our business and marketing partners use your data in accordance with their own privacy policies. Depending on where you live, you may have the right to instruct us not to share information about you in order to show you targeted advertising and marketing based on your online activities at various merchants and websites.
  • When you ask us to, or otherwise consent to, share certain information with third parties, for example to deliver products to you, or when you use social media widgets or login integrations.
  • We share personal data with our affiliates or otherwise within our corporate group.
  • In connection with a business transaction such as a merger or insolvency, to comply with applicable legal obligations (including responding to subpoenas, search warrants and similar requests), to enforce applicable terms of service or policies, and to protect or defend the Services, our rights and the rights of our users or others.

Relationship with Shopify

The Services are hosted by Shopify, with Shopify collecting and processing personal data about your access to and use of the Services in order to provide and improve the Services to you. Data that you transmit to the Services is shared with Shopify as well as with third parties who may be located in countries other than your country of residence in order to provide and improve the Services for you. In order to protect, expand and improve our business, we also use certain advanced Shopify features that incorporate data and information from your interactions with our shop, with other merchants and with Shopify. In order to provide these advanced features, Shopify may use personal data collected about your interactions with our shop, other merchants and Shopify. In these circumstances, Shopify is responsible for the processing of your personal data, including responding to your requests regarding the exercise of your rights concerning the use of your personal data for these purposes. For further information on how Shopify uses your personal data and what rights you have, see Shopify’s consumer privacy policy. Depending on where you reside, you may exercise certain rights regarding your personal data listed here via the Shopify privacy portal.

Payment processing

For payments we use Shopify Payments and, where applicable, other providers (e.g. PayPal). To process the payment, the respective necessary payment data (e.g. amount, payment method, order reference) is transmitted to the corresponding payment service provider. The legal basis is Art. 6(1)(b) GDPR (performance of contract).

Third-party websites and links

The Services may provide links to websites or other online platforms operated by third parties. If you follow links to websites that are not affiliate sites or are not controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such websites, including the accuracy, completeness or reliability of the information on these websites. Information that you provide in public or semi-public places, including information that you share on third-party social networking platforms, may also be viewed by other users of the Services and/or users of these third-party platforms, without restrictions on its use by us or by a third party. Our inclusion of such links does not imply that we endorse the content of these platforms or their owners or operators, unless expressly stated in the Services.

Children’s data

The Services are not intended for use by children, and we do not knowingly collect personal data from children who have not yet reached the age of majority in your country. If you are the parent or guardian of a child who has provided us with their personal data, you can contact us using the contact details below to request the deletion of this data. As of the effective date of this Privacy Policy, we are not aware that we “share” or “sell” personal data of persons under the age of 16 (as defined by applicable law).

Security and retention of your data

Please note that no security measure is perfect or impenetrable, and we therefore cannot guarantee “perfect security”. In addition, information you send to us may be at risk during transmission. We recommend that you do not use insecure channels to transmit sensitive or confidential information to us.

How long we retain your personal data depends on various factors. These include, for example, whether we need the data to administer your account, provide services to you, comply with legal obligations, resolve disputes or enforce other applicable contracts and policies.

Your rights and choices

Depending on where you reside, you may have some or all of the rights listed below with regard to your personal data. However, these rights are not absolute, may only apply in certain circumstances, and in certain cases we may refuse your request to the extent permitted by law.

  • Right of access. You may have the right to request access to the personal data we hold about you.
  • Right to erasure. You may have the right to request that we delete the personal data we hold about you.
  • Right to rectification. You may have the right to request that we correct inaccurate personal data we hold about you.
  • Right to data portability. You may have the right to receive a copy of the personal data we hold about you and to request that we transmit it to a third party in certain circumstances and with certain exceptions.
  • Managing communication preferences. We may send you promotional emails. You can object to receiving these emails at any time by using the unsubscribe option contained in our emails to you. If you opt out, we may still send you non-promotional emails, for example about your account or orders you have placed.

If you reside in the United Kingdom or the European Economic Area, subject to the exceptions and limitations of local law, in addition to the above rights you may exercise the following rights:

  • Right to object and right to restriction of processing. You may have the right to request that we stop or restrict the processing of personal data for certain purposes.
  • Withdrawal of consent. Where we rely on consent to process your personal data, you have the right to withdraw that consent. If you withdraw your consent, this will not affect the lawfulness of processing based on your consent before its withdrawal.

You can exercise these rights where indicated in the Services, or by contacting us using the contact details below. For further information on how Shopify uses your personal data and what rights you have, including rights in relation to data processed by Shopify, please visit https://privacy.shopify.com/en.

You will not suffer any disadvantages by exercising these rights. Where permitted or required by applicable law, we may need to verify your identity before we can process your requests. In accordance with applicable law, you may designate an authorised agent to make requests to exercise your rights on your behalf. Before we accept such a request from an agent, we will require that agent to prove that you have authorised them to act on your behalf. This may require you to confirm your identity directly to us. We will respond to your request promptly within the framework of applicable law.

Competent data protection supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany

Complaints

If you have complaints about how we process your personal data, please contact us using the contact details below. Depending on where you reside, you have the right to appeal our decision by contacting us at the contact details below or by lodging a complaint with the competent data protection authority. For the European Economic Area there is a list of competent data protection supervisory authorities available.

International transfers

Please note that we may transfer, store and process your personal data outside the country in which you reside.

When we transfer your personal data outside the European Economic Area or the United Kingdom, we rely on recognised transfer mechanisms such as the Standard Contractual Clauses of the European Commission or equivalent contracts issued by the respective competent authority of the United Kingdom, unless the data transfer is made to a country that has been demonstrated to provide an adequate level of protection.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes to our practices or for other operational, legal or regulatory reasons. We will publish the revised Privacy Policy on this website, update the “Last updated” date accordingly and give notice as required by applicable law.

Contact

If you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please contact us by email at kontakt@checkup.ai or by post at Henkestraße 91, Erlangen, 91052, Germany. For the purposes of applicable data protection laws, we are the data controller responsible for your personal data.