PRIVACY POLICY 

Connected mHealth – Web Portal and Mobile Application

Last Updated: January 1st, 2026

INTRODUCTION

This Privacy Policy explains how we, acting as a data processor, collect, receive, store, use, and protect personal data on behalf of healthcare institutions, rehabilitation providers, and licensed healthcare professionals (“Data Controller”) who use the Connected mHealth Platform (“Platform”).

Connected mHealth is a platform consisting of multiple role-based interfaces, including a mobile application for patients and a web portal for healthcare professionals. Access to data and functionality is strictly controlled through role-based access controls.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

The Platform processes personal data exclusively under documented instructions from the Data Controller and never for the Data Processor’s own purposes.

ROLES AND RESPONSIBILITIES

The Controller of personal data are the healthcare institutions, healthcare professionals, or rehabilitation providers (such as hospitals, clinics, rehabilitation centers, and other healthcare organizations) that grant patients access to the Platform, determine the scope of data processing, and make all decisions regarding the purpose and legality of the processing.

Only the Data Controller within their organization determines which healthcare professionals may access specific patients and their personal data.

We act as the Data Processor, processing personal data exclusively on behalf of and according to documented instructions from the Data Controller. 

The Data Processor does not make or perform any medical decisions and does not define rehabilitation content.

Connected Innovations acts as a Data Controller when individuals provide personal and company data directly to us without involvement of a healthcare institution or rehabilitation provider.

This includes situations where a user:

  • submits their email address or contact information directly through our website,
  • signs up for demo, trial, or evaluation versions of the Platform,
  • subscribes to newsletters, product updates, or requests a meeting or presentation.

In these cases, Connected Innovations determines the purposes and means of processing, which may include:

  • user communication and onboarding,
  • providing platform access,
  • managing trial or demo accounts,
  • ensuring security and fraud prevention,
  • responding to submitted inquiries.

This controller role applies only to personal data collected directly by Connected Innovations.

All rehabilitation, clinical, exercise, and health-related data processed within the Platform for patient care remain strictly under the control of the healthcare institution (Data Controller), and Connected Innovations processes such data solely as a Data Processor.

TYPES OF PERSONAL DATA WE PROCESS

The Platform requires certain data elements to function properly. These data categories are technically necessary for account creation, authentication, rehabilitation tracking, and delivery of Platform features. Depending on the Data Controller’s configuration and the Platform features in use, the following categories of personal data may be processed:

Required for Platform operation or provided by the Data Controller:

  • Identification data (name, date of birth, gender, email/phone, patient ID)
  • Rehabilitation content, assignments, and completion history
  • Health-related data entered by the clinician or patient
  • Questionnaire results (e.g., pain, sleep, symptoms, well-being)
  • Activity logs and performance metrics
  • Device-generated physiological data (e.g., heart rate, steps, SpO₂, sleep), if the user voluntarily enables device connection
  • Communication history within the Platform

  • Name, email address, professional role
  • Account access logs and activities within the Platform

  • Device type, IP address
  • Login timestamps
  • Error logs and performance metrics
  • General usage analytics data

When Connected Innovations acts as a Data Controller (direct registrations), we process only minimal contact and account information voluntarily provided by the user, such as:

  • Name
  • Email address
  • Phone number (if provided)
  • Communication records
  • Technical data needed for access and security

No health, exercise, rehabilitation, or physiological data are collected unless the user is added by a healthcare provider.

WEBSITE USE

When individuals visit or interact with the Connected Innovations website (https://www.connectedmhealth.com), Connected Innovations acts as a Data Controller.

In this context, we may process the following categories of personal data:

  • Identification and contact data submitted via website forms (e.g., name, email address, company)
  • Communication data (messages, inquiries, demo or meeting requests)
  • Technical and usage data (IP address, browser type, operating systemtimestamps, referring URLs)
  • Cookie and tracking data (subject to user consent where required)

The purposes of processing include:

  • Responding to inquiries and requests
  • Providing product information, demos, or presentations
  • Website operation, security, and performance optimization

The legal bases for such processing may include:

  • Performance of pre-contractual measures or contract,
  • Legitimate interest (communication, security, fraud prevention),
  • Business development and communication activities (e.g., responding to demo or meeting requests)

PURPOSE OF PROCESSING

The Data Processor processes personal data only for purposes defined by the Data Controller, including:

  • Enabling delivery and tracking of rehabilitation and health programs
  • Supporting clinicians in managing patient progress
  • Delivering questionnaires and assessments
  • Collecting and displaying results and progress history
  • Ensuring security, stability, and operation of the Platform
  • Generating anonymized or aggregated metrics (non-identifiable)

We do not use any personal data for processing or marketing purposes.

We never:

  • Use personal data for marketing
  • Sell personal data
  • Profile users for advertising
  • Use personal data for our own purposes

LEGAL BASIS FOR PROCESSING

The Data Controller determines the legal basis for processing personal data, including health data.

Examples of legal bases (determined by the Controller):

  • Performance of a healthcare service or rehabilitation treatment
  • Compliance with healthcare law
  • Explicit consent (e.g., optional device data)
  • Legitimate interest of the Data Controller

The Data Processor does not determine the legal basis and relies entirely on the Data Controller’s lawful instructions.

Connected Innovations acts as a Data Controller when individuals visit or interact with the Connected Innovations website (https://www.connectedmhealth.com).

When Connected Innovations acts as a Data Controller, the legal bases for processing may include:

  • User consent (e.g., newsletter subscription)
  • Performance of a contract (demo/trial account provision)
  • Legitimate interest (security, fraud prevention, responding to user inquiries)

DATA RETENTION

Personal data is retained only for the duration defined by the Data Controller (agreement between the Data Controller and Data Processor) or required by applicable law.

Upon contract termination or request by the Data Controller, personal data is:

  • Exported in a mutually agreed format, or
  • Securely deleted.

The Data Processor maintains backup copies only for operational continuity and security purposes.

DATA SHARING

Our website and Platform may rely on selected third-party service providers for hosting, analytics, communication, and security purposes. It includes cloud infrastructure providers, email delivery services, analytics providers, and content delivery networks (CDNs).

All third-party providers are contractually bound to comply with applicable data protection laws and may process personal data only in accordance with our documented instructions or as permitted by law.

We do not share, disclose, or transfer personal data to any third party except:

  • When explicitly requested or approved by the Data Controller
  • When necessary for essential Platform functions (e.g., hosting providers)
  • When required by law or regulatory authorities

All subcontractors operate under data processing agreements ensuring GDPR/HIPAA/PIPL compliance (where applicable).

The Data Processor never shares data for marketing, profiling, or commercial purposes.

INTERNATIONAL DATA TRANSFERS

Some personal data processed through the Platform may be stored or accessed on secure servers located outside the EU/EEA, including in the United States, where our cloud service provider IBM hosts parts of the infrastructure.

Whenever personal data is transferred outside the European Union (EU) or European Economic Area (EEA), the Data Controller and Data Processor ensure that such transfers comply with applicable data-protection laws, including the General Data Protection Regulation (GDPR). In particular:

  • Transfers to the United States are based on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs) or any other valid transfer mechanism permitted under GDPR.

 

  • IBM, as a Sub-processor, is contractually required to implement robust technical and organizational security measures, including encryption, access control, logging, and secure infrastructure management.

 

  • Personal data is accessible only to authorized personnel and only for the purposes defined by the Data Controller.

 

  • The Data Controller is informed of all locations where processing occurs and must approve the use of any Sub-processors involved in international transfers.

 

  • In all cases, the Data Processor ensures that data subjects’ rights and legal remedies remain enforceable and that the level of protection guaranteed by GDPR is not undermined.

SECURITY MEASURES

At Connected Innovations, LLC, we ensure that your data is processed securely. To protect the confidentiality, integrity, and availability of the information we hold, we have implemented appropriate technical and organizational measures. Our staff is trained in sound privacy principles and we maintain strong data security and privacy protection practices. Additionally, we store your data on servers of trusted partners IBM, located in the US. We also adhere to the General Data Protection Regulation (GDPR) which apply to our clients in the European Economic Area.

The Platform implements advanced technical and organizational measures to protect personal data, including:

  • Encryption at rest and in transit
  • Multi-layer access control and RBAC
  • Strong authentication for experts
  • audit trails and logs
  • Regular penetration testing
  • Infrastructure isolation (multi-tenant architecture)
  • Secure backup procedures
  • Monitoring and incident response processes

The Data Controller is responsible for:

  • Managing user access rights
  • Enforcing strong password policies
  • Ensuring that only authorized clinicians access patient data

Providing personal data that we require is voluntary. However, if you do not provide necessary data, you cannot receive certain services, access all functionalities of our online solutions, or conclude business with us.

RIGHTS OF DATA SUBJECTS

Data subjects (patients, users) have rights as provided by applicable laws and exercised through the Data Controller, including:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent (if applicable)
  • Right to copy of personal data

 

The Data Processor assists the Data Controller with tools and technical support to fulfill such requests but cannot respond directly to individuals.

BREACH NOTIFICATION (GDPR & HIPAA)

If a security incident occurs:

  • The Data Processor notifies the Data Controller without undue delay, and no later than 48 hours after becoming aware of a Personal Data Breach
  • The Data Controller is responsible for notifying individuals and regulators,
  • For HIPAA entities, notifications are governed by the HIPAA Breach Notification Rule and the applicable BAA.

The Data Processor never contacts patients directly regarding breaches.

COOKIES AND SIMILAR TECHNOLOGIES

Connected Innovations uses cookies and similar technologies on its website (https://www.connectedmhealth.com) and, where applicable, within the Connected mHealth Platform to ensure proper functionality, security, and user experience.

Cookies are small text files stored on a user’s device that enable the website or application to recognize the device and store certain information related to preferences or past actions.

We distinguish between the following categories of cookies and similar technologies:

  • Strictly necessary cookies

These cookies are essential for the operation, security, and core functionality of the website and Platform, including authentication, session management, and fraud prevention. These cookies do not require user consent.

  • Analytics and performance cookies

These cookies allow us to understand how visitors interact with our website in order to improve performance, content, and usability. Analytics cookies are used only with the user’s consent, where required by applicable law.

Connected Innovations does not use advertising cookies, marketing cookies, or cookies for profiling or behavioral advertising.

Non-essential cookies are used only after the user has provided consent through the cookie consent banner displayed upon first visit to the website, in accordance with GDPR and applicable national legislation.

Users may withdraw or modify their consent at any time through the cookie settings available on the website.

The Connected mHealth Platform itself relies primarily on strictly necessary cookies for authentication and security and does not deploy marketing or advertising cookies within the application environment.

Cookies may be stored for varying durations depending on their purpose.

Session cookies are deleted when the browser is closed, while persistent cookies remain on the user’s device until they are deleted or expire. Retention periods are limited to what is necessary to achieve the intended purpose of each cookie.

Users may control or block cookies through their browser or device settings. Please note that disabling strictly necessary cookies may affect the functionality of the website or Platform.

Instructions for managing cookies can be found in the help section of the user’s browser or device documentation.

Where third-party services are used on the website for analytics, hosting, or content delivery purposes, such providers may set cookies on the user’s device in accordance with their own privacy policies.

Connected Innovations ensures that all third-party providers involved in cookie deployment comply with applicable data protection laws and that appropriate safeguards are in place for any international data transfers.

An overview of cookies and related third-party services is available through the cookie consent interface or upon request.

CHILDREN’S DATA

Processing of minors’ data is managed and legally justified exclusively by the Data Controller. The Data Processor processes such data only under the Data Controller’s instructions and in accordance with healthcare and parental consent regulations.

AUDIT AND COMPLIANCE

To demonstrate compliance:

  • The Data Processor maintains records of processing activities
  • Allows audits by the Data Controller or authorized auditors
  • Cooperates with regulatory authorities as required by law

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect operational, legal, or regulatory changes.

The “Last updated” date reflects the current version.

Significant changes will be communicated to the Data Controller.

This Privacy Policy is issued in one official version. Any translations of this Privacy Policy are provided for convenience only. The English version shall be the sole legally binding and governing version. In the event of any inconsistency, discrepancy, or difference in interpretation between language versions, the English version shall prevail.

COMPLAINT PROCEDURE

Data subjects have the right to lodge a complaint with their local data protection authority if they believe that the processing of their personal data violates applicable data protection laws.

For issues, concerns, or complaints related to the processing of personal data within the Connected mHealth Platform, data subjects may contact:

The hospital or healthcare institution acting as the Data Controller, which is responsible for determining the purposes and means of processing and for handling requests related to data subject rights; and

Connected Innovations (Data Processor) at: info@connectedmhealth.com

The Data Processor will review the complaint in cooperation with the Data Controller and will provide a response within a reasonable timeframe. The Data Processor does not respond directly to data subjects regarding rights requests unless expressly instructed by the Data Controller.

For EU/EEA users, the relevant authority may include, for example, the Information Commissioner (Slovenia) or another supervisory authority in their country of residence, place of work, or location of the alleged infringement.

CONTACT INFORMATION

For questions related to personal data processing, please contact:

Data Controller:

The healthcare institution or provider that granted you (user, patient) access to the Platform.

Data Processor:

Connected Innovations, LLC
221 1st Ave SW
Suite 600
Rochester, MN 55902
United States
Website: https://www.connectedmhealth.com

Email: info@connectedmhealth.com

Data Protection Officer (DPO):

Connected Innovations has appointed a Data Protection Officer in accordance with Article 37 GDPR.

The DPO can be contacted at: dpo@connectedmhealth.com