TERMS OF USE

Connected mHealth – Web Portal and Mobile Application

Last Updated: January 1st, 2026

INTRODUCTION

These Terms apply to the use of:

  • The Connected mHealth Web Portal and Mobile Application (the “Platform”), and
  • The Connected Innovations website (https://www.connectedmhealth.com), unless stated otherwise.

Connected Innovations, LLC
221 1st Ave SW
Suite 600
Rochester, MN 55902
United States

The Platform is intended for use by healthcare professionals, rehabilitation providers, and research and educational organizations, including but not limited to hospitals, clinics, rehabilitation centers, academic institutions, and other healthcare-related entities, and by their authorized users (including patients, research participants, or students). The Platform is used to deliver, perform, monitor, and manage prescribed rehabilitation programs, health-related services, and approved clinical, research, or educational interventions, as applicable.

By accessing or using the platform, the users confirm that they have read, understood, and accepted these Terms. If the user does not agree with the Terms, they are not permitted to use the platform.

The Connected Innovations website (https://www.connectedmhealth.com) is intended solely to provide general information about the Connected mHealth solution and to enable business and professional communication, such as demo requests or inquiries.

The website does not provide healthcare services, medical advice, diagnosis, or treatment. All rehabilitation and health-related services are delivered exclusively through the Connected mHealth Platform under the responsibility of the relevant healthcare institution.

ROLES (CONTROLLER / PROCESSOR OF PERSONAL DATA)

The Data Controller of personal data are the healthcare institutions, healthcare professionals, or rehabilitation providers (such as hospitals, clinics, rehabilitation centers, and other healthcare organizations) that grant users access to the platform, determine the scope of data processing, and make all decisions regarding the purpose and legality of the processing. Only the Data Controller determines which healthcare professionals may access specific users’ (patients’) personal data.

The Data Controller is responsible for ensuring compliance with GDPR, HIPAA, PIPL (where relevant), and for informing individuals about their rights. The Data Controller also determines data retention periods and decides on data deletion or transfer upon termination of Platform use.

Connected Innovations acts solely as a data processor. It processes data:

  • Exclusively for the purpose of operating the platform
  • Exclusively under the documented instructions of the Data Controller,
  • Without the rights to process data for its own purposes

The Data Processor ensures:

  • Technical and security safeguards
  • Hosting and infrastructure operation
  • Availability and functionality of the application
  • Technical support for controllers

The Data Processor does not make or perform any medical decisions, health-related services and does not define rehabilitation content. Unless explicitly certified under applicable regulations, the Platform is not classified as a medical device under EU MDR, FDA regulations, or other applicable frameworks. The Platform supports communication, monitoring progress, and delivering educational and rehabilitation content, but it must not be relied upon as a standalone diagnostic or therapeutic system.

The Platform does not provide medical advice, does not diagnose medical conditions, and does not replace professional medical judgment. Any decisions related to diagnosis, treatment, rehabilitation, exercise prescription, or patient care are the sole responsibility of the authorized healthcare professional. The Platform is intended only as a support tool and not as a substitute for clinical expertise.

The Data Processor processes personal data exclusively on documented instructions from the Data Controller. If the Data Processor is legally required to process data (e.g., U.S. subpoenas or regulatory requests), it will inform the Data Controller unless legally prohibited from doing so.

In certain situations, Connected Innovations acts as a Data Controller.

This applies only when individuals access or register for the Platform directly through the Connected mHealth website or mobile application without being invited, onboarded, or managed by a Data Controller.

Examples include (but are not limited to):

  • Submitting an email address or creating an account directly through our website
  • Accessing demo versions, trial accounts, or self-initiated registrations
  • Subscribing to product information or requesting access without a healthcare provider

In such cases, Connected Innovations determines the purposes and means of processing the minimum personal data required for:

  • Account creation
  • Communication related to Platform access
  • Service provisioning and technical operation of the platform
  • Security and fraud-prevention measures

When Connected Innovations acts as a Data Controller, processing is performed in accordance with GDPR, ZVOP-2 , PIPL, CCPA (where applicable), and other relevant laws.

This Data Controller role applies only to the data collected directly by Connected Innovations and never to any clinical, rehabilitation, or health-related data assigned by healthcare providers, for which the healthcare institution remains the primary Data Controller.

USERS OF THE PLATFORM

Access is granted by the Data Controller, who determines:

  • The scope of permissions
  • Users who can access and use the platform
  • What data they may access

The Platform is not accessible without an active account created by the Data Controller for each employee/expert.

The Data Controller uses the platform to:

  • Add users
  • Create content and assign it to users
  • Review the data shared by the user

Access for registration and use is provided by the Data Controller (healthcare professional or healthcare provider).

Users use the platform to:

  • Perform rehabilitation exercises
  • Track progress
  • Complete questionnaires
  • Monitor their condition

PURPOSE AND FUNCTIONALITY OF THE PLATFORM

The Connected mHealth Platform enables:

  • Assignment and remote execution of rehabilitation programs
  • Tracking of rehabilitation-related data
  • Completing questionnaires
  • Monitoring of activities
  • One-way communication between the user and the Controller
  • Viewing progress, history of data, and reports

The platform is NOT a medical device within the meaning of the Medical Device Regulation (MDR) and is NOT intended for diagnosing or treating diseases. It does NOT replace medical diagnosis, examination, or emergency medical care. It serves as a digital support tool and does NOT substitute professional medical judgment.

The Connected Innovations website https://www.connectedmhealth.com/ is provided for informational and commercial purposes only. Information published on the website does not constitute medical advice, diagnosis, or treatment recommendations and must not be relied upon for medical decision-making.

LEGAL BASIS FOR PROCESSING

Although certain data categories are required for the technical operation of the platform, the legal basis for processing personal data, including health data, is determined solely by the Data Controller, in accordance with GDPR, HIPAA, PIPL, and ZVOP-2. The Data Processor also does not independently transfer personal data to third countries without explicit written instructions from the Data Controller.

The Data Processor does not determine:

  • The purpose of processing
  • The legal grounds for processing
  • Retention periods
  • Categories of data that the Controller decides to collect or request from users

The Data Processor processes personal data only under documented instructions from the Data Controller and only to the extent necessary to provide the Platform services.

CATEGORIES OF PERSONAL DATA PROCESSED

For the Platform to function properly, certain categories of data are technically required. These data categories are limited to what is necessary to enable account creation, user authentication, the delivery of rehabilitation content, progress monitoring, and the general operation of the Connected mHealth Platform.

The Data Processor informs the Data Controller which data elements are technically required for the platform’s functioning, while the Data Controller may agree or disagree with the Platform’s use. These include, for example:

To create a user account, the Platform processes basic identification data such as name, surname, date of birth, gender, email address, or phone number. These data serve solely to identify the user within the system and support the functionality of the platform.

Data include:

  • Name and surname
  • Date of birth
  • Gender
  • Email address or user identifier

The Platform processes data related to the progress of rehabilitation, such as body measurements (e.g., weight and height), results of exercises, and questionnaire responses (e.g., pain assessments, sleep quality, well-being).

Data may include:

  • Weight, height
  • Completion of assigned exercises
  • Rehabilitation results
  • Questionnaires (e.g., pain, sleep, well-being)
  • Borg RPE

Users may voluntarily connect devices, such as smartwatches or sensors, that record heart rate, SpO₂, steps, distance, activity data, and sleep patterns. The transfer of such data is enabled only if the user actively authorizes it on their device.

Data may include:

  • Heart rate
  • SpO₂
  • Steps
  • Activity, duration, distance, intensity
  • Sleep data

To ensure proper operation, the Platform collects technical data, including IP addresses, language settings, device information, usage logs, error logs, and timestamps.

Data may include:

  • IP address
  • System logs
  • Usage timestamps
  • Language and application configuration

The Data Processor does not use personal data for marketing, advertising, profiling, or selling to third parties. Data is processed exclusively to operate the platform and perform services for the Data Controller.

REGISTRATION AND ACCESS

Users receive account creation access from the Data Controller (via email and/or SMS).

Users are responsible for:

  • Protecting their passwords
  • Providing accurate information
  • Using the platform in accordance with the Terms of Use and with the instructions of healthcare professionals.

Access is granted by the Data Controller.

Use is restricted to professional purposes and in accordance with the internal policies of the Data Controller.

USER RIGHTS AND OBLIGATIONS

The user agrees that they will:

  • Not use the platform for unlawful or harmful activities
  • Not modify, distribute or attempt to reverse engineer the code
  • Not grant access to unauthorized persons
  • Provide only truthful and accurate information

The user acknowledges that the Platform is not intended for medical emergency use. In case of emergency, the user must immediately contact the nearest medical facility.

Secure Password Handling

Experts must use strong passwords consisting of letters, numbers, and symbols. Sharing login credentials is strictly prohibited.

Responsibility for Data

Experts are responsible for safeguarding patient data and must comply with GDPR, HIPAA (where applicable), and institutional privacy policies.

Access Control / Authorization

Experts may access only the patient data they are explicitly authorized to view by their institution (Data Controller).

Unauthorized access is strictly prohibited.

Minimum Necessary Principle

Experts must access, view, and use only the minimum data necessary to perform their professional duties.

Misuse

Any misuse, unauthorized access, modification of records, or sharing of patient data may result in suspension or termination of access and may lead to disciplinary or legal action.

ACCESS BY THE PROCESSOR

The Data Processor may access data only when requested by the Data Controller or when necessary to resolve technical issues, security incidents, or support tasks, or for diagnostics. All such access is time-limited, minimal (only what is necessary), and recorded in audit logs.

The Data Processor never accesses data without justification or for commercial purposes.

In the event of a data breach involving PHI, the Data Processor shall notify the Data Controller without unreasonable delay and within the specified timelines.

The Data Processor does not notify affected individuals or regulatory authorities directly.

DATA SECURITY

The provider implements advanced technical and organizational measures, including:

  • Encryption of data in transit and at rest
  • RBAC (role-based access control)
  • Multi-tenant data isolation
  • Secure backups
  • Audit trails of access
  • Regular vulnerability testing
  • Oversight of subcontractors

Security measures are implemented solely to safeguard the data processed on behalf of the Data Controller and do not grant the Data Processor independent authority to determine the purposes or means of processing.

Only authorized persons may access data.

MULTI-TENANT ARCHITECTURE

Data between Platform users (controllers) is completely isolated.

Each Data Controller (tenant) has:

  • Separate data
  • Separate users
  • Separate configuration

Users from one healthcare organization cannot view or access data from another.

RIGHTS OF DATA SUBJECTS

The Data Processor does not respond directly to data subject requests (e.g., access, deletion, correction).

All such requests must be directed to the Data Controller. The Data Processor will support the Data Controller by providing tools and assistance required.

The user (patient) may exercise the following rights through the Data Controller (e.g., hospital):

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability

The Data Processor assists the Data Controller in fulfilling such requests.

SUB-PROCESSORS

The Data Processor uses vetted sub-processors to provide and host the Data Connected mHealth solution. All sub-processors operate under contractual data processing agreements and comply with GDPR requirements. In jurisdictions where other legal frameworks apply (e.g., HIPAA, PIPL), the Data Processor ensures compliance with the relevant requirements and enters into appropriate agreements.

The Connected mHealth Platform is hosted on IBM Cloud infrastructure managed from the United States. IBM does not access the content of personal data and provides only infrastructure-level services.

IBM acts strictly as an Infrastructure-as-a-Service provider and does not process personal data for its own purposes. IBM does not access personal data in normal operations; any potential access is contractually restricted, strictly supervised, and subject to audit logs.

Data are encrypted at rest and in transit; encryption keys remain under the Data Processor’s control.

Standard Contractual Clauses govern international transfers, and IBM is also on the DPF (Data Privacy Framework List).

The platform may use Mandrill to send email messages. Mandrill processes only the minimal personal data needed to deliver emails (email address and technical metadata).

The Data Controller may choose to use its own email server instead. 

The Data Processor ensures that all sub-processors used for hosting or service delivery comply with GDPR. In jurisdictions requiring additional frameworks (e.g., HIPAA, PIPL), the Data Processor aligns sub-processor selection and contractual arrangements with the Data Controller (e.g., Business Associate Agreement, local regulatory clauses). The Data Processor can add sub-processors, but the Data Controller needs to be notified and informed that a sub-processor has been added.

DATA RETENTION AND DELETION

The Data Processor does not define or enforce its own data retention periods. All retention, deletion, or export decisions are made solely by the Data Controller. Data are retained in accordance with the Data Controller’s instructions.

Upon termination of the agreement between the DataController and the Data Processor:

  • Data are permanently deleted unless the controller requests otherwise and such request is documented in the contract
  • Backups are deleted according to agreed retention cycles

The Data Processor never contacts users (patients) regarding contract termination; this is solely the responsibility of the Controller.

LIABILITY

The Data Processor does not provide medical advice and is not responsible for medical decisions made by healthcare professionals or users. The Platform is provided “as is” and does not replace medical diagnostics.

The provider is not liable for:

  • Incorrect or incomplete data entered by the user
  • Downtime caused by third-party systems (OS, devices, networks)
  • Incorrect use of the Platform
  • Interruptions, data loss, unauthorized access resulting from weak passwords or negligence by users or experts
  • Incorrect medical decisions made by healthcare staff when creating or assigning plans, diagnostic errors, treatment outcomes, or any consequences resulting from the misuse of the Platform
  • Health decisions made by the user without consulting a clinician
  • Indirect, incidental, special, consequential, or punitive damages

CANCELLATION OF ACCESS

The Platform provider reserves the right to terminate or suspend access to the Platform if:

  • A user violates any provision of these Terms of Use
  • A healthcare professional accesses data without authorization
  • The Data Controller terminates its service agreement
  • Misuse, fraud, or a security breach is detected
  • Legal or regulatory obligations require termination

Upon termination:

  • Access to the Platform is revoked
  • Data is returned or deleted in accordance with the Data Processing Agreement (DPA)
  • The healthcare institution remains responsible for compliance with retention laws

COMPLAINT PROCEDURE

Users and healthcare professionals may submit complaints related to the use of the platform, data processing, access issues, or service quality. Complaints may be directed to:

The healthcare institution acting as the Data Controller; and

The Platform provider (Data Processor) at:
info@connectedmhealth.com

The Data Processor will review the complaint in cooperation with the Data Controller and provide a response within a reasonable timeframe.

If the user believes their personal data rights have been violated, they may also contact the relevant supervisory authority (e.g., the Information Commissioner in Slovenia or other competent authority).

UPDATES TO THE PLATFORM AND TERMS

The Platform provider may:

  • Update the platform
  • Modify functionalities
  • Adjust these Terms

Users will be notified of significant changes via the Portal.

GOVERNING LAW

These Terms of Use are governed by the laws of the State of Minnesota, United States. Any disputes shall be resolved before the competent court in Rochester, Minnesota. This governing law clause does not affect mandatory consumer or data protection rights under EU law. Users in the EU are protected by additional rights and safeguards under GDPR.

These Terms of Use are valid exclusively in one official version. In the event that these Terms of Use are translated into other languages, the English version shall be the sole legally binding and governing version. In the event of any inconsistencies, discrepancies, or differences in interpretation between language versions, the official governing version shall prevail.

CONTACT

Contact us: https://www.connectedmhealth.com/contact

Connected Innovations, LLC
221 1st Ave SW
Suite 600
Rochester, MN 55902
United States
Website: https://www.connectedmhealth.com