Data Protection Policy (App)

Version 1.0 – October 2025

lumetry is a medical app authorized under Regulation (EU) 2017/745. It is not connected to any product already on the market and cannot be connected to any other device. Personal data, including special categories of personal data (health data), are processed for the purpose of the app’s functionality. In addition, they may be used within the scope of legally required market surveillance and Post-Market Clinical Follow-up (PMCF) activities to optimize the product. For clinical studies, the additional data protection provisions set out in the patient information apply. The app cannot be used without a lumetry device.

We, Lumetry Diagnostics GmbH (hereinafter “we”, “us”), the provider of the lumetry app, take the protection of your data seriously.

To protect your data in the best possible way, we implement extensive technical and organizational security measures. Nevertheless, please note that the security of your data also depends on how you individually handle the app and your device—for example, if you use unsecured networks or make your smartphone available to third parties without protection. We therefore recommend that you always handle your login credentials and your device carefully to minimize risks to your personal information.

As part of your use of our app, you receive the following services from us:

  • Performance of a capnography measurement and/or spirometry measurement with a lumetry device by breathing through the device based on the selected breathing maneuver
  • Display of breathing curves (for professional users only) and trend curves (for home users only)
  • Calculation and display of metrics from the capnography/spirometry measurement

Health data are processed when the app is used.

With the following data protection policy, we inform you about the type, scope, purpose, duration and legal basis of the processing of your personal data in our lumetry app (hereinafter also the “app”). Our data protection policy is structured as follows:

  1. Information about us as controllers
  2. Information about our Data Protection Officer
  3. Your rights (rights of data subject)
  4. Processing of personal data when using our app
  5. Possible recipients
  6. Purpose changes
  7. Processing in third countries
  8. Storage and deletion of your data
  9. Data security
  10. Tools used by third-party providers
  11. Changes to this data protection policy

1. Controller

We provide you with an app that you can download to your mobile device. Below we inform you about the collection of personal data when using our app. Personal data are all data that can be related to you personally, e.g., name, height, weight, sex, email addresses, as well as, where applicable, data on user behavior (e.g., click behavior, dwell time, error reports). The processing of such usage data is based on a legitimate interest pursuant to Art. 6(1)(f) GDPR, insofar as these data are necessary for internal statistics, bug fixing, fraud detection or product optimization. For any further analysis (e.g., session replays, heatmaps, cross-device tracking), we obtain your explicit consent.

Controller for the Processing of Personal Data under the General Data Protection Regulation (GDPR) is:

Lumetry Diagnostics GmbH
Nikolaiplatz 48020 Graz
Email: contact@lumetry.at

2. Data Protection Officer

Lumetry Diagnostics GmbH has appointed a certified Data Protection Officer.

Name: Andreas Nagler- Ruhry
Email: datenschutz@lumetry.at

3. Your Rights (data subject rights)

You have the following rights with respect to us:

Right to access: You have the right to obtain from us, at any time and free of charge, information about which personal data we process about you. This includes, among other things, the purposes of processing, the categories of data, the recipients, and the planned storage period. Upon request, we will also provide you with a copy of this data. (Art. 15 GDPR)

Right to rectification: If your information changes or contains errors, please let us know — we will update your information promptly and carefully. (Art. 16 GDPR)

Right to erasure: You may request the immediate deletion of your personal data at any time. Please note that legal retention obligations, the performance of ongoing contracts, or ensuring the functionality of the app may prevent deletion. (Art. 17 GDPR)

Right to restrict processing: You may request the restriction of the processing of your personal data if one of the following conditions is met (Art 18 GDPR):

  • You contest the accuracy of the personal data (the restriction applies for a period enabling us to verify the accuracy of the personal data).
  • The processing is unlawful and you oppose the erasure of your personal data.
  • The data are no longer needed for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims.
  • You have objected to the processing (see Right to object), and the balancing of interests within the objection procedure is not yet completed.

Right to data portability: You may receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, provided that processing is carried out by automated means and is based on consent or on a contract. (Art. 20 GDPR)

Right to withdraw consent: You may withdraw your consent to the processing of personal data at any time. Please note that withdrawing your consent also means that the use of the affected services is no longer possible. The lawfulness of processing carried out before the withdrawal remains unaffected. (Art. 7 GDPR)

Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Art. 6(1)(f) GDPR (processing on the basis of legitimate interests). (Art. 21 GDPR)

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

If we process personal data for the purpose of direct marketing, you have the right to object to such processing at any time.

Right to lodge a complaint: If you believe that the processing of your personal data violates data protection regulations, you may lodge a complaint with the supervisory authority responsible for Lumetry Diagnostics GmbH. (Art. 77 GDPR)

Austrian Data Protection Authority
Wickenburggasse 8-10
1080 Vienna
Email: dsb@dsb.gv.at

4. Processing of Personal Data When Using Our App

4.1 Download of the App
The lumetry app is available through third-party distribution platforms, so-called app stores (Google Play and Apple App Store). Downloading it may require prior registration with the respective app store and installation of the app store software. Lumetry Diagnostics GmbH has no influence over the collection, processing, and use of personal data in connection with your registration and the provision of downloads in the respective app store and its software. The responsible party in this respect is solely the operator of the respective app store. For more details, please consult the privacy information provided directly by the app store provider.

 

4.2 Granting Access Permissions
At the beginning of using our mobile app, the following access permissions are required:

  • Internet access: To use the app, an active internet connection is necessary in order to store, process, and retrieve your data on our cloud servers. The app can only be used in online mode.
  • Bluetooth: The app connects via Bluetooth with the lumetry device. Corresponding access permissions are therefore required to perform a measurement.
  • Location data: With Android smartphones, access to location data must be permitted to establish the Bluetooth connection. These data are not stored or processed by us.

If you refuse or revoke access to these permissions, the app’s functionality will be unavailable or only limited. You can grant permission later again in the smartphone settings.

The lumetry app accesses your data only to the extent necessary to provide the app’s functionality. Your data are treated confidentially by us and deleted if you revoke access rights or if the data are no longer needed for functionality. The legal basis is Art. 6(1)(b) GDPR (contract performance), insofar as health data are not concerned.

 

4.3 Access to the lumetry Device
Through Bluetooth pairing, your smartphone or tablet is connected to your lumetry device so that the device data and measurement results collected can be processed in your app.

 

4.4 Creation of a User Account (Registration)
To use the functions of the app, creating a user account is required. Registration takes place upon the first launch of the app. The combination of email address and password or phone number and one-time password can be used as login credentials.

 

Login with Email Address and Password
Login credentials:

  • Email address
  • Password

When using email and password as login credentials, you will receive a confirmation link via email during the registration process. The password is stored in the form of a so-called “hash value.” A hash value is a calculated value that is uniquely generated for each password but cannot be used to derive the password itself (a so-called “one-way function”). Therefore, we do not know your password and cannot restore it in case of loss. If you lose your password, it can be reset via the app or by contacting us by email.

 

Login with Phone Number and One-Time Password
Login credentials:

  • Phone number
  • One-time password

When using your phone number as login credentials, a one-time verification code will be sent to your registered mobile number. This verification code is resent each time you log in. Therefore, only your phone number is stored in our system.

The login credentials are processed exclusively to authenticate you during login and to respond to requests. The data you provide during registration or login are processed by us in order to:

  • Verify your authorization to manage the user account,
  • Enforce the app’s terms of use and all associated rights and obligations, and
  • Contact you in order to send technical or legal notices, updates, security alerts, or other messages related to the management of your user account.

The legal basis is Art. 6(1)(b) GDPR (contract performance).

Your personal login data are stored until your personal account is deleted by you or after the termination of contract performance by us.

User Profile Data During Registration

During the registration provess, the following user profile data are also requested:

  • Name
  • Year of birth
  • Height
  • Weight
  • Sex

These data are processed insofar as they are necessary for the functionality of the app (Art. 6(1)(b) GDPR). They can be changed at any time later in the app.

 

4.5 Data Processing When Using the App
To provide you with the app’s functions, it is necessary to collect certain data during use. We only collect the data required for the app to function properly.

Technical Data

When using the lumetry app, we collect the following technical data:

  • Operating system version of the device
  • App version
  • Information about the lumetry device (date and time of pairing, device number, etc.)

These data are necessary to ensure the functionality and security of the app, as well as to handle support requests.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

 

Measurement Data (Health Data):

When using the app, the following measurement data are processed:

  • Date and time
  • Raw data from device sensors (CO2, flow, environmental conditions)
  • Calculated capnography/spirometry values
  • Various metrics calculated from the measurement data
  • Additional information provided by the user (symptoms, comments, etc.)

These measurement data are processed in order to calculate and display relevant metrics as accurately as possible. They constitute health data within the meaning of Art. 9 GDPR.

Legal basis: Art. 6(1)(b) GDPR (contract performance), insofar as the processing is necessary for the use of the app.

 

Withdrawal of Consent

You may withdraw your consent to the processing of the described categories of data at any time without providing reasons, by sending us an email. Withdrawal of consent results in the immediate deletion of your user account, including your stored data.

 

4.6 Use of Cookies
The app does not use cookies.

 

4.7 Data Processing for Advertising Purposes
Your data are not processed for advertising purposes.

 

4.8 Google Analytics for Firebase (Application Usage Data)
With your explicit consent (Art. 6(1)(a) GDPR), which you can actively give via an optional checkbox in the app, we use Google Analytics for Firebase, an analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The following anonymized usage data are processed and stored for 14 months:

  • Frequency of use
  • Session/duration of use, to detect usability errors and optimize the app
  • Anonymous screen flows, i.e., the steps taken when using the app, to better understand user scenarios and goals
  • Demographic data, to better understand our target audience.

This information helps us to evaluate app acceptance, detect usability errors, and optimize the app. Use of the app is also fully possible without giving this consent. You can withdraw your consent at any time in the app settings.

Further information on Google Firebase privacy can be found at: https://firebase.google.com/support/privacy .

 

4.9 Firebase Crashlytics
To improve the stability and reliability of our app, we use Firebase Crashlytics, also a service of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

In the event of a crash, anonymous information (state of the app at the time of the crash, installation UUID, crash trace, device manufacturer and operating system, last log messages) is transmitted to Google’s servers in the USA. These data do not contain any personal information.

Crash reports are only transmitted with your explicit consent (Art. 6(1)(a) GDPR), which you can give via an optional checkbox in the app. The app can also be used in full without this consent.

More information on Firebase privacy can be found at: https://firebase.google.com/support/privacy .

 

4.10 Use of Anonymized Data to Improve the Service
To ensure the continuous improvement of measurement calculations, Lumetry Diagnostics GmbH reserves the right to anonymize your data and then analyze it.

 

4.11 Contact
When you contact us by email, your name, email address, and any other personal data you provide are stored by us. Providing this data is necessary to process and respond to your inquiry. Data collected in this context will be deleted once storage is no longer required, or — if legal retention obligations apply — processing will be restricted.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

 

5. Possible Recipients

The following categories of recipients — generally processors — may gain access to your personal data:

  • Service providers for operating our app and processing the data stored or transmitted by the systems (e.g., data center services). This processing is always carried out on our behalf (“data processing agreement”).
  • Public authorities, where this is necessary to comply with a legal obligation. In such cases, the legal basis is Art. 6(1)(c) GDPR or Art. 9(2)(g) GDPR.

In addition, we will only share your personal data with third parties if you have given us your explicit consent.

As part of the further development of our business, the structure of our company may change — e.g., by changing the legal form, establishing, purchasing, or selling subsidiaries, company divisions, or parts of the business. In such transactions, customer information may be transferred along with the relevant part of the company as part of what is known as legal succession. In all cases of transfer of personal data to third parties as described, we ensure that it is done in accordance with this data protection policy and the applicable data protection law.

6. Purpose Changes

Processing of your personal data for purposes other than those described will only occur where permitted by law or if you have consented to the changed purpose.
If further processing is for purposes other than those for which the data were originally collected, we will inform you of those other purposes before such further processing and provide you with all relevant information.

7. Processing in Third Countries

To provide our services within the scope of using the app, we also use service providers outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfill contractual and business obligations and is only carried out to the extent necessary.

Whenever possible, we use servers located within the EU. However, it cannot be ruled out that data may also be transferred to the USA. This particularly applies to the login data you provide and the app usage data.

For the USA, the European Commission has not issued any so-called adequacy decisions. We nevertheless ensure that data protection is adequately guaranteed. To this end, we use the Standard Contractual Clauses (SCCs) of the European Commission and implement additional technical and organizational measures. The Standard Contractual Clauses for third-country transfers can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

8. Storage and Deletion of Your Data

We delete or anonymize your personal data as soon as they are no longer required for the purposes for which we collected or used them in line with this privacy notice.

As a rule, we store your personal data for the duration of your use of the app or contractual relationship, plus an additional period of one year, during which we retain backup copies.

You may request deletion within the app at any time. Please note that after deletion, data cannot be restored by us — they are irreversibly erased.

Storage may, however, continue beyond the specified time and even in the event of deletion initiated by you, if there is (or may be) a legal dispute with you or any other legal proceedings.

Third parties engaged by us (so-called processors) will store your data on their systems only for as long as necessary in connection with the provision of services for us, in accordance with the respective contract.

Your data are preferably stored on servers in the EU. Access from a third country — including by government authorities of a third country — cannot be excluded.

9. Data Security

We employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. These measures take into account the state of the art, the implementation costs, as well as the nature, scope, context, and purposes of processing, and the varying likelihood and severity of risks for you, including the impact of security incidents such as data breaches.

Our security measures are continuously improved in line with technological developments.

10. Tools Used by Third-Party Providers

We use the Google Cloud Platform, provided by Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland, for storing and processing all data categories mentioned.

For hosting in the Google Cloud (Google Cloud Platform, GCP), the storage location Frankfurt (Germany, europe-west3) is used.

When you contact us by email, we store these emails in the Microsoft 365 Exchange email service provided by Microsoft (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA), with servers located in the EU.

11. Change of the Data Protection Policy

As data protection law, as well as technological or organizational conditions, evolve, our data protection policy is regularly reviewed to determine whether adjustments or additions are necessary and updated accordingly.

This data protection notice is dated October 2025.