Samson GmbH Website

Viraa Privacy Policy

Data Privacy Policy

Version 2.1 – Updated on 20 Janurary 2026

I. Introduction

SanoLabs GmbH i.G. takes the protection of your personal data seriously. This Privacy Policy explains how we collect, process, and protect your data when you use the Sam App (formerly Viraa), our website, and related services. We comply with the EU General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz (BDSG), and all other applicable data protection laws. Marketing language has been avoided to ensure legal clarity.

II. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual (Art. 4(1) GDPR).
  • Health Data: Personal Data concerning health status (Art. 4(15) GDPR). Processing requires explicit consent (Art. 9(2)(a) GDPR).
  • Anonymized Data: Data that has been irreversibly altered so that identification of a person is impossible.
  • Pseudonymized Data: Data that can only be attributed to a person with additional separate information.
  • Data Controller: SanoLabs GmbH, which determines purposes and means of processing.
  • Processor: Any external entity processing data on behalf of SanoLabs GmbH, bound by data processing agreements under Art. 28 GDPR.

III. Sources of Personal Data

We collect data in the following contexts:

  1. Website visits: IP address, browser type, and usage data via cookies (see cookie policy).
  2. Account creation: Identity and login information (name, email, password, date of birth).
  3. Use of Services: Physiological and technical data, e.g., steps, heart rate, sleep patterns, depending on device permissions.
  4. Targeted communication: User segmentation for communication preferences and advertising. Health Data is not shared with third parties.
  5. Support and contact: Data provided when contacting support (name, request content).
  6. Research participation: Responses to questionnaires, with separate explicit consent.
  7. Automatically collected data: Device identifiers, IP addresses, geolocation (if consented).

IV. Legal Bases for Processing

  1. Contract performance (Art. 6(1)(b) GDPR): Account creation, provision of services.
  2. Consent (Art. 6(1)(a) GDPR; Art. 9(2)(a) GDPR for Health Data): Research participation, Health Data processing, marketing.
  3. Legal obligation (Art. 6(1)(c) GDPR): Tax, accounting, vigilance obligations.
  4. Legitimate interest (Art. 6(1)(f) GDPR): Fraud prevention, IT security, improvement of services – excluding Health Data.

V. Consent and Withdrawal

  1. Consent is obtained separately and explicitly for Health Data, research, and marketing.
  2. Users may withdraw consent at any time with effect for the future via in-app settings or by emailing privacy@sanolabs.eu. Withdrawal shall be as easy as giving consent.
  3. For minors, parental consent is required (Art. 8 GDPR).

VI. Retention of Data

  1. Personal Data is stored only as long as necessary for the purposes outlined, or as legally required.
  2. Examples:
    • Support tickets: max. 3 years, unless legal claims require longer.
    • Accounting data: 10 years (HGB/AO).
    • Vigilance/adverse event reports: 10 years unless longer required under medical device law.
    • Health Data: until account deletion or withdrawal of consent.
  3. Backup data: Backups cannot be individually modified but are overwritten in cycles to ensure compliance.
  4. Inactive accounts: Deleted after 3 years of inactivity, following 90 days’ notice.

VII. Data Sharing and Transfers

  1. Internal sharing: Only with authorized staff bound by confidentiality.
  2. Processors: IT providers, hosting providers, and support partners under Art. 28 GDPR agreements.
  3. Third-country transfers: Only where safeguards exist under Art. 46 GDPR (Standard Contractual Clauses, adequacy decisions).
  4. Legal disclosures: Data may be shared when required by law, with prior notice unless prohibited.
  5. Research partners: Only anonymized or aggregated data is shared.

VIII. Security Measures

  1. SanoLabs GmbH i.G. implements appropriate technical and organizational measures (Art. 32 GDPR), including encryption, pseudonymization, access controls, and regular audits.
  2. In case of a data breach, SanoLabs GmbH i.G. will notify the supervisory authority within 72 hours (Art. 33 GDPR) and affected users without undue delay (Art. 34 GDPR).

IX. User Rights

Users may exercise the following rights:

  1. Right to information and access (Art. 15 GDPR).
  2. Right to rectification (Art. 16 GDPR).
  3. Right to erasure (Art. 17 GDPR).
  4. Right to restriction (Art. 18 GDPR).
  5. Right to portability (Art. 20 GDPR).
  6. Right to object (Art. 21 GDPR), including:
    • General right to object to processing based on legitimate interests,
    • Absolute right to object to processing for direct marketing.
  7. Right to withdraw consent (Art. 7(3) GDPR).
  8. Right to lodge a complaint with the competent supervisory authority.

Requests should be sent to privacy@sanolabs.eu. Proof of identity may be required. Responses will be provided within one month.

X. Automated Decision-Making

SanoLabs GmbH i.G. does not use personal data for automated decision-making or profiling within the meaning of Art. 22 GDPR.

XI. Hosting and Storage

  1. Health Data is stored exclusively in Germany on Google Cloud servers.
  2. Other Personal Data may be processed outside the EEA only with adequate safeguards.

XII. Severability and Link to GTC

This Privacy Policy is an integral part of the contractual framework with the User. If provisions conflict with mandatory law, statutory rules prevail. The remainder remains valid.

U.S. Addendum – Privacy Rights for U.S. Residents

If you are a resident of the United States, including California, the following additional rights apply under state and federal privacy laws such as the California Consumer Privacy Act (CCPA/CPRA) and comparable state laws.

1. No Sale or Sharing of Personal Information

SanoLabs GmbH i.G. does not sell your Personal Information and does not share it for cross-context behavioral advertising within the meaning of CCPA/CPRA.

2. Rights of U.S. Residents

In addition to the rights set out in the GDPR section of this Policy, U.S. residents may exercise the following rights:

  • Right to Know: You may request information about the categories and specific pieces of Personal Information we collect and disclose.
  • Right to Delete: You may request the deletion of Personal Information we hold about you, subject to legal retention requirements.
  • Right to Correct: You may request correction of inaccurate Personal Information.
  • Right to Opt-Out of Sale/Sharing: You may request that we do not sell or share your Personal Information.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit use and disclosure of sensitive information (e.g., health data, biometric data) to what is necessary to provide the Services.
  • Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

3. Exercising Your U.S. Rights

You may exercise these rights free of charge by contacting us at privacy@sanolabs.eu. We may need to verify your identity before processing your request. Authorized agents may submit requests on your behalf where permitted by law.

4. Response Times

We will respond to requests within the timelines required by applicable U.S. law (generally 45 days, extendable by an additional 45 days if necessary).

5. Data Breach Notification

In addition to our GDPR obligations, in the event of a data breach affecting U.S. residents, we will provide notifications in accordance with applicable federal and state data breach notification laws (e.g., California Civil Code § 1798.82).