Ada

Ada Health GmbH is a company based in Berlin which produces Ada, a symptom checker app.

This page is not published. While you can access it via its direct link, it is not yet displayed on the website.

Transparency

Is the policy's history made available? Only the date it was last modified

3/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Citation

Last modified: 29 April 2020

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

Any changes we make to our Privacy Policy in the future will be posted on this page, and where appropriate, notified to you by email or notifications via the App. We therefore encourage you to review it from time to time to stay informed of how we are processing your data.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes

2/3

Decided May 17, 2020 (revision history). This question accounts for 4% of the final score.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

he personal data that we collect from you is stored in the European Union on Cloud Servers of Amazon Web Services EMEA S.A.R.L. (“AWS”) with a business seat in Luxembourg and on the Cloud Servers of Google Commerce Limited (“GCL”), a company incorporated under the laws of Ireland, with offices at Gordon House, Barrow Street, Dublin 4, Ireland. This data may, however, be processed by sub-processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement if the additional requirements of Art. 44 et seq. GDPR for processing in third countries are compliant with an appropriate level of protection in the third country and appropriate guarantees under Art. 46 GDPR (such as standard data protection clauses, or exceptional circumstances under Art. 49 GDPR).

Sensitive information between your browser and our Website is transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Is it clear why the service collects the personal data that it does? Yes

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Note

Due to the girth of this section, you can read each use in section 3 under the "Use justification" clause.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, exhaustively

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

All types of collected personal data are listed specifically

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Note

Due to the girth of this section, you can read each use in section 3 under the "Types of data" clause.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service collect personal data from third parties? Only for critical data

7/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

For example, a blog providing user avatars or a bank conducting identity verification

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Citation

3.3 Facebook Login Types of data: Facebook ID, email (if provided in Facebook account), and phone number (if provided in Facebook account) and time and date of the login.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-in basis

5/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Non-critical use of personal data is not enabled by default.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Citation

3.12 Monitor usage to ensure proper use, functioning, maintenance and improvement of the medical reasoning system and related Services [...] Use justification: Legitimate interest (Article 6 (1) (f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity. We may send you transactional emails (e.g. account creation verification email, reset password email, double opt-in email regarding the newsletter subscription, welcome email) and process the page interaction accordingly, to ensure proper reception and assess the service in order to improve it.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Handling

Does the policy allow personally-targeted or behavioral marketing? No

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Note

No information proving such.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow third-party access to private personal data? Yes, all parties specified (including non-critical service providers such as advertisers)

3/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

6.1 We use technical service providers to operate and maintain our Services, who act as our processors based on a data processing agreement.

Note

Companies who have access to your data are: - Amazon Web Services (Infrastructure) - Google Cloud Platform (Infrastructure) - Hetzner Online GmbH (Infrastructure) - MongoDB Cloud Services, Inc (Infrastructure) - Adjust (Tracking) - Amplitude (Tracking) - Customer.io (Tracking) - Facebook SDK (Tracking) - New Relic (Tracking and Monitoring) - Sentry (Tracking) - Formspree.io (Customer Support) - Zendesk (Customer Support) - IP Find (Country Information) - Contentful (Website Content Management) - Prismic (Website Content Management)

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

6.4 If we are required on the basis of EU law or the law of a Member State to disclose or share your personal data.

Use justification: Legal obligation, Article 6 (1) (c) GDPR.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, using an automated mechanism

5/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

We will hold the above data for as long as it is necessary in order to provide you with the Services, deal with any specific issues that may arise or, otherwise, as it is required by law or by any relevant regulatory body. Specific storage periods for the respective processing activities are detailed in Section 3 above.

Once your account is terminated, we will delete the personal data relating to your account within 1 month.

If you were a user of the UK Doctor Chat services (which is no longer available since 23 March 2018), your consultation details may be retained by us for a period up to 10 years according to the UK Records Management Code of Practice Retention Schedule, or if otherwise required by Care Quality Commission (“CQC”).

If your personal data is used for two different purposes, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires.

We restrict access to your personal data to the persons who need to use it for the relevant purpose(s). Our retention periods are based on reasonable business needs, and your personal data that is no longer needed is either irreversibly anonymized (and the anonymized data may be retained) or securely destroyed.

Note

You can delete your account based on the information provided at https://help.ada.com/hc/en-us/articles/360000319269

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

Ada has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for Ada , submit one here.


Highlighted Policy Snapshot ALPHA

No highlighted policy snapshot has been created for this privacy policy. To view the policy at its original location, click here.

8.1/10

How we calculate ratings →


Version Added

May 17, 2020

Ratings Updated

May 17, 2020

Warnings

0

Maintained by

doamatto

Original Location
Open in New Tab
Other Versions