Privacy Policy

This Privacy Policy explains how the SMAAT platform processes your personal data, including data collected through our website, mobile application, and other online services. It applies to all data processing activities conducted by us, including sensor data collection, experience sampling, health data access where you choose to enable it, and user interactions with our web platform. Our goal is to provide transparency about the types of data we collect, the purposes for processing, and your rights as a data subject. Terms used are gender-neutral.
Last Updated: April 7, 2026

Open Lab Online UG
Email: info@open-lab.online
Legal Notice: /legal-notice

We process various types of data for specific purposes, affecting different data subjects. Below is a summary:

• Categories of Data: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., survey responses), sensor data (e.g., GPS, accelerometer), usage data (e.g., app interactions), meta/communication data (e.g., IP addresses), and health-related data that you choose to share with us via Apple Health or Health Connect on a read-only basis (for example, steps, activity, heart rate, sleep, or similar metrics).
• Data Subjects: Researchers, participants, business partners, website visitors, and app users.
• Purposes: Providing mobile and web services, conducting research studies, user authentication, customer support, security, analytics, and direct marketing (with consent). Health-related data accessed from Apple Health or Health Connect is processed only for the operation of the relevant study, related research analytics, and study administration, based on your explicit consent.

We process personal data under the General Data Protection Regulation (GDPR) based on:

• Consent (Art. 6(1)(a) GDPR): When you explicitly agree to data processing, for example for newsletters, cookies, participation in studies, or access to health-related data from Apple Health or Health Connect.
• Contract Performance (Art. 6(1)(b) GDPR): To fulfill agreements, such as providing research tools, participant services, and account functionality.
• Legal Obligation (Art. 6(1)(c) GDPR): To comply with applicable legal obligations, such as tax or commercial retention requirements.
• Legitimate Interests (Art. 6(1)(f) GDPR): For purposes such as service improvement, fraud prevention, platform stability, and IT security, unless overridden by your rights and freedoms.

Health-related data may constitute special category personal data under Art. 9 GDPR. Where we process health-related data from Apple Health or Health Connect, we do so only on the basis of your explicit consent and, where applicable, for scientific research purposes under the safeguards required by applicable law. You can withdraw your consent at any time with effect for the future by changing your device permissions, leaving the relevant study, or contacting us.

National data protection laws, such as Germany's Federal Data Protection Act (BDSG), may also apply.

We implement technical and organizational measures to protect your data, including:

• Encryption for data collected via the mobile app and web platform during transmission and storage.
• IP masking to anonymize IP addresses where possible.
• SSL/TLS encryption (https) for secure data transmission.
• Access controls and secure storage to ensure confidentiality, integrity, and availability.
• Role-based access restrictions so that only authorized persons can access study-related data.

We follow privacy-by-design principles, embedding data protection into our development processes. Health-related data accessed via Apple Health or Health Connect is protected using the same or stricter safeguards as other research data processed through SMAAT.

Your data may be shared with third parties only when necessary for service provision, legal compliance, operation of the platform, or with your consent. Recipients may include IT service providers, cloud hosting providers, communication providers, and researchers responsible for the study in which you participate. We ensure appropriate protection through contracts and, where required, standard contractual clauses or other recognized safeguards.

We do not sell health-related data from Apple Health or Health Connect and we do not use such data for advertising purposes.

If data is processed outside the EU/EEA, we ensure compliance with GDPR through an adequacy decision, standard contractual clauses, or other appropriate safeguards. Where required, we will also rely on your explicit consent. For more information, see the EU Commission guidance on international data transfers: EU Data Protection.

We use cookies and similar technologies to enhance user experience and analyze usage. Types may include:

• Necessary Cookies: Essential for website and app functionality, such as maintaining login sessions.
• Analytics Cookies: Used to understand usage patterns where consent is required.
• Temporary Cookies: Deleted after your session.
• Permanent Cookies: Stored for a limited time unless deleted earlier.

You can manage cookies via browser settings or through available consent tools on our website. Consent can be withdrawn at any time.

We process data to provide the SMAAT mobile app and web platform, including:

• User account data (e.g., username, email address, password) for authentication, account administration, and study management.
• Survey responses and study participation data for research purposes.
• Sensor data (e.g., GPS, accelerometer, gyroscope, motion-related data, and other device-based inputs) where required by a study and permitted by you.
• Usage and technical data for app functionality, debugging, service improvement, and security.

Data is retained only as long as necessary for the relevant purpose, unless longer retention is required by law or justified by documented research obligations.

If you choose to connect Apple Health (iOS) or Health Connect (Android) to the SMAAT app, we may request permission to read selected health-related data types needed for a specific study. These data types may include, for example, steps, walking or activity data, heart rate, sleep data, or similar metrics, depending on the study design.

We do not write data to Apple Health or Health Connect. We access only the categories that you explicitly authorize through the permission dialog provided by your device or operating system.

Health-related data from Apple Health or Health Connect is processed only for the purposes described in the relevant study, including study participation, scientific analysis, and study administration. Such data is not used for advertising and is not sold.

You can revoke access at any time in Apple Health, Health Connect, or your device settings. Revoking permissions stops future access, but it does not automatically delete data already collected and lawfully processed before withdrawal. To request deletion of previously collected data, please contact us or use available in-app account or study controls where applicable.

SMAAT is designed to support smartphone-based research studies. When you join a study, you may be asked to review study information, provide informed consent, and grant access to certain permissions or data sources that are necessary for that study.

Depending on the study, this may include survey responses, passive sensor data, and, if you explicitly choose to allow it, health-related data from Apple Health or Health Connect. The specific categories of data requested may differ from study to study and should be described in the study information presented to you before participation.

Researchers using the platform are responsible for configuring their studies and for ensuring that they have an appropriate legal basis and any required ethics approvals for the research they conduct.

Users can create accounts to access the SMAAT platform. We store login data such as email address or username, encrypted password data, and certain technical information such as IP address or device data to prevent misuse, provide account functionality, and maintain security. Accounts are not public.

Health-related data from Apple Health or Health Connect is never used for authentication, advertising, or unrelated profiling.

If single sign-on (SSO) is offered, we may allow login via external providers. In that case, we receive only the data necessary for authentication and account linking, depending on your provider settings, such as your user ID, email address, or display name.

When you contact us, for example by email or contact form, we process your data (such as your name, email address, and message) to respond to your request and manage follow-up communication. The legal basis is usually contract performance, pre-contractual measures, or our legitimate interests in handling inquiries.

Contact: info@open-lab.online

If we offer newsletters or similar electronic communications, they are sent only with your consent or another applicable legal basis. You can unsubscribe at any time using the unsubscribe link in the message or by contacting us directly.

We may maintain profiles on social media platforms to communicate and share updates. When you visit those platforms, the respective provider may process your data under its own privacy terms. We recommend reviewing the privacy policies of the relevant providers.

We delete personal data when it is no longer necessary for the purpose for which it was collected, when you request deletion, or when you withdraw consent and no other legal basis applies, unless legal retention obligations or overriding legitimate grounds require further storage.

In some cases, processing may be restricted instead of immediate deletion, for example where legal claims, research obligations, or statutory retention duties apply.

Under the GDPR, you have the following rights, subject to the applicable legal requirements:

• Access: Request information about whether and how we process your personal data.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data.
• Restriction: Request restriction of processing.
• Portability: Receive your data in a structured, commonly used, machine-readable format where applicable.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent at any time with effect for the future.
• Complain: Lodge a complaint with a supervisory authority.

To exercise your rights, contact us at info@open-lab.online.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices. If material changes are made, we will provide appropriate notice where required. Please review this page regularly for the latest version.