Who we are

ChroniCare ApS (Chronicare, we, us) is a company registered in Denmark (VAT no. 45652505) at Frederiksholms Kanal 30, 1220 København, Denmark.

We operate Chronicare, a mobile application for people living with chronic health conditions that supports symptom tracking, personalised insights, and connection with our patient community.

ChroniCare ApS is the data controller for the personal information you provide when you use our services.

Privacy contact: info@chronicare.io

For all questions, concerns, or data rights requests relating to this policy, please contact us at info@chronicare.io.

Summary of key points

This summary highlights the most important points. For full detail, please read the complete policy below.

What data do we collect? We collect personal information you provide when registering and the health data you log in the app, including health, symptom, and lifestyle data you choose to log in the app.

Why is this data sensitive? Health data is classified as special category data under EU law. We only process your health data with your explicit consent.

Do we share your data? With your separate, optional consent, we apply anonymization processes to your health data and may share the resulting anonymized data and insights, which may include anonymized population-level insights or anonymized individual-level records, with pharmaceutical companies, research institutions and life science partners working on chronic diseases. This is how we fund Chronicare at no cost to you. ChroniCare ApS always holds back your identifiable data; third parties who receive anonymized outputs cannot identify you from those outputs.

How do we keep it safe? Your data is stored in encrypted servers within the European Economic Area. We use technical and organisational measures appropriate to the sensitivity of health data.

What are your rights? You have the right to access, correct, export, restrict, or delete your data. You can withdraw any consent at any time. See Section 10 for how to exercise these rights.

Who regulates us? We are supervised by Datatilsynet, the Danish Data Protection Authority, and comply with the EU General Data Protection Regulation (GDPR).

Table of contents

1.  What information do we collect?

2.  Why do we process your information, and on what legal basis?

3.  The Chronicare Research Programme

4.  When and with whom do we share your information?

5.  Do we use cookies and tracking technologies?

6.  Do we use artificial intelligence?

7.  How long do we keep your information?

8.  How do we keep your information safe?

9.  International transfers

10. What are your privacy rights?

11. Do we collect information from minors?

12. Do we make updates to this policy?

13. How can you contact us?

14. How can you access, update, or delete your data?

15. Glossary

1. What information do we collect?

1.1 Information you provide to us

When you register and use Chronicare, you provide us with:

Account information:

• Name or display name

• Email address

• Username and password

• Date of birth

• Country of residence

• Profile picture (optional)

• Gender (optional)

Special category health data (GDPR Article 9)

The following categories of data are classified as sensitive special category data under EU law because they directly relate to your health. We only process this data with your explicit consent (see Section 2):

• Symptom logs (such as symptom type and severity, stool frequency, pain levels, and condition-specific scores)

• Medication and treatment data (such as current medications, intake schedules and medication adherence)

• Mental health and wellbeing data (such as mood scores and emotions)

• Dietary and trigger information (such as food diaries and nutritional logs)

• Journal entries and qualitative health narratives (free-text descriptions of your health experience)

• Biomarker data such as calprotectin levels, where you choose to enter this

Community content: Posts, comments, and contributions you make in the Chronicare community feed. Please be aware that community posts may contain implicit health information. Community content is visible to other Chronicare users.

1.2 Information we collect automatically

When you use the app, we automatically collect:

• Usage data: Features used, screens viewed, actions taken, session duration and frequency

• Device data: Device type, operating system, app version, device identifiers

• Technical data: Error reports, crash logs, performance data

• Location data: Country-level location derived from IP address, for regional compliance purposes only

This information is used to maintain, secure, and improve the app and for internal product analytics. It is not combined with your health data for commercial purposes.

1.3 Information from third parties

We do not purchase or receive personal data from third parties for profiling purposes. If you choose to register via a third-party account (such as Apple ID or Google), we receive basic profile information from that provider as described in their privacy policies.

2. Why do we process your information, and on what legal basis?

GDPR requires us to identify a lawful basis for each category of processing. The table below sets out each processing activity, its purpose, and the legal basis we rely on. For special category health data (all health data categories listed in Section 1.1), processing under GDPR Article 9 requires an additional basis beyond Article 6. We rely primarily on Article 9(2)(a): explicit consent.

Your right to withdraw consent: Where we rely on your consent as the legal basis, you can withdraw it at any time via Settings → Privacy → Update my privacy choices in the app. Withdrawing consent for essential health data processing (Layer 1) means we cannot continue to provide the service, and your account will be closed. Withdrawing consent for the Research Programme (Layer 2) has no effect on your use of the app.

Our legitimate interests: Where we rely on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test and determined that our interests do not override your privacy rights. We do not rely on legitimate interests to process special category health data.

3. The Chronicare Research Programme

This section explains in full how Chronicare's commercial model works and what it means for your data.

Why this programme exists

Chronicare is free for patients. To sustain this, we partner with pharmaceutical companies, biotech firms, real-world data providers and academic research institutions who commission anonymized data and insights derived from health data generated on our app. This enables us to fund ongoing product development without advertising.

We believe this model can directly benefit patients: the insights we generate contribute to a better real-world understanding of living with chronic conditions, inform drug development pipelines, and help shape clinical research.

Your consent choice

Participation in the Research Programme is entirely optional. When you create your account, you are asked separately, and independently of creating your account, whether you wish to participate. Your choice does not affect your access to the app or any of its features.

A current list of our collaboration partners, including the categories of organisations we work with, the permitted purposes, and the protections that apply, is available at https://chronicare.io/research-program. Where a partner has consented to being named publicly, they are listed by name. Where a partner has requested confidentiality for commercial reasons, they are listed by category of organisation only (for example, "pharmaceutical company"), the existence of the partnership and the purposes for which data is used are always disclosed. If new partners are added to this list, we will notify you by email, at most once per quarter and only when there are actual updates.

What we do with your data in this programme

When you consent to participate, we:

1. Apply anonymization processes to your health data. We use technical methods to remove direct and indirect personal identifiers and apply further anonymization methods (see below). Depending on the output, this may result in aggregated, population-level insights or anonymized individual-level records. In both cases, the outputs are designed so that recipients cannot reasonably use them to identify any individual.

2. Share the anonymized outputs with research partners. Outputs are shared in non-identifiable form. Identifiable personal data is never shared with any third party.

Some research partners, in particular real-world data and health data organisations, may incorporate anonymized outputs into analytical services or data products they provide to their own clients in the healthcare and life sciences sector (for example, pharmaceutical companies or health systems). These downstream uses involve only anonymized data; no personal data passes further down the chain. Our Data Sharing Agreements require that any downstream recipients are subject to the same anonymization and non-re-identification obligations that apply to the direct partner.

Chronicare, as the data controller, holds and processes your identifiable health data at all times. We apply strict security measures and data minimisation practices to ensure your data is protected throughout this process. Third parties who receive data outputs from us cannot identify you from those outputs. If you have questions about this, please contact us at info@chronicare.io.

What we do not do

• We do not sell personal data that can identify you

• We do not share your data for advertising or marketing purposes

• We do not share identifiable personal data with any third party

• We do not allow any partner to attempt to re-identify individuals from the data they receive, this is expressly prohibited in every data sharing agreement we enter

Technical protections

Before any output is shared with a research partner, we apply a layered anonymisation process designed to ensure that recipients cannot identify any individual using means that are reasonably likely to be used. Our approach follows the following principles:

Identity separation at source. User identities are stored in a separate identifier table, isolated from all health records. Health data references only an internal pseudonym. The mapping table linking that pseudonym to a real identity is never included in any output and is subject to strict access controls on our side.

Layered de-identification. Depending on the output type, we apply a combination of techniques: generalisation (replacing precise values such as exact age or date with broader bands or periods), suppression (removing records or fields where values are rare enough to risk identifying an individual), exclusion of free-text fields (journal entries and qualitative health narratives are excluded from all outputs), and aggregation to group-level results where appropriate.

Minimum cohort thresholds. Any aggregated insight based on fewer than a defined minimum number of users is suppressed from outputs to prevent identification through small or unique groups. The threshold is documented and calibrated to the sensitivity of each output type.

Re-identification risk assessment. Before each release, we conduct a motivated-intruder assessment, an internal test that simulates a competent, motivated actor attempting to re-identify individuals using the output combined with reasonably available auxiliary data sources. The results, residual risk, and any mitigating steps taken are documented per release.

Periodic review. Our anonymisation methods are reviewed periodically and whenever a material change occurs, such as a new recipient, a new data type, or advances in re-identification techniques or AI capabilities.

ChroniCare ApS, as data controller, holds pseudonymous source data at all times and applies full GDPR protections throughout. The anonymisation process is designed so that, from the recipient's perspective, outputs contain no personal data attributable to any individual.

Contractual protections

Every research partner who receives data outputs is bound by a Data Sharing Agreement that expressly prohibits any attempt to re-identify individual users and any use of the data for purposes beyond those agreed. Where a partner provides analytical services or data products to their own clients using our anonymized outputs, the Data Sharing Agreement requires that those downstream recipients are bound by equivalent anonymization and non-re-identification obligations. Partners who violate these obligations will have their access immediately terminated.

In-app Research Panel

We may in the future introduce an optional Research Panel, through which panel members may receive occasional in-app surveys or questionnaires which may be commissioned by healthcare industry partners. Participation in any individual survey will always be voluntary. A separate, additional consent will be required to join the Research Panel. This section will be updated when the feature becomes active.

Withdrawing your Research Programme consent

You can opt out of the Research Programme at any time via Settings → Privacy → Update my privacy choices. Withdrawal has no effect on your access to or experience of the app, all features remain available. After withdrawal, your data will no longer be included in any future output generation. Anonymized outputs already produced and shared before your withdrawal cannot be individually recalled. Because these outputs do not contain personal data attributable to any individual, this is technically not possible and they fall outside the scope of GDPR and are retained for ongoing research purposes.

4. When and with whom do we share your information?

We do not sell personal data. We share information only in the following circumstances.

4.1 Service providers (data processors)

We use third-party service providers to operate Chronicare. These providers act as data processors on our instructions and may not use your data for their own purposes. We have Data Processing Agreements (DPAs) in place with each provider under GDPR Article 28.

4.2 Research partners

As described in Section 3, anonymized data and insights may be shared with research partners only with your explicit, optional consent. No identifiable personal data is shared under this programme. A current list of partners, the categories of organisations we work with, and the permitted purposes are maintained at https://chronicare.io/research-partners

4.3 Business transfers

If ChroniCare ApS is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. You will be notified in advance, and where required by law, your renewed consent will be sought before any transfer takes place.

4.4 Legal requirements

We may disclose your information where required by law, court order, or regulatory authority, or where necessary to protect ChroniCare ApS's legal rights or the safety of our users.

4.5 Other users

When you post content in the Chronicare community, your display name and post content are visible to other app users. Your identifiable health tracking data is never automatically shared publicly, only content you actively post in the community feed is visible to others. We may also display anonymized, population-level statistics within the app (such as aggregated information about how users with similar conditions report their experiences), where no individual can be identified from the information shown.

5. Do we use cookies and tracking technologies?

We use tracking technologies within the app and on our website to maintain security, fix bugs, save your preferences, and understand how our services are used.

Product analytics: We use PostHog to collect information about how you interact with the app, such as features used, session lengths, navigation paths, to help us improve Chronicare. This data is collected under our legitimate interests and is not combined with your health data.

We do not use advertising cookies or tracking technologies. Chronicare does not serve targeted advertising and does not permit advertising networks to place tracking technologies within our services.

We may use essential technical cookies or similar technologies on our website (chronicare.io) solely for security and session management purposes. We do not use cookies for advertising or cross-site tracking. If we introduce non-essential tracking technologies on our website, we will update this section and provide an appropriate cookie notice before doing so.

6. Do we use artificial intelligence?

We use artificial intelligence and machine learning features to enhance your experience of Chronicare. These may include personalised insights into your symptom patterns, trend analysis, and content relevance.

Your personal information processed using AI tools is handled in accordance with this Privacy Policy and our agreements with our AI service providers (see Section 4.1).

We do not use fully automated decision-making that produces legal or similarly significant effects on you. If this changes, we will update this policy and seek your consent where required.

7. How long do we keep your information?

We keep your information for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

Inactive accounts: We do not automatically delete inactive accounts. Your data remains available to you whenever you return to the app, regardless of how long you have been inactive. If you wish to stop using Chronicare, you can delete your account at any time as described below.

Account deletion: You can delete your account at any time via Settings → Account → Delete account. Upon deletion, all identifiable personal data, including your account details, health tracking data, and community content, will be permanently deleted within 90 days of your request. Anonymized research outputs generated from your data prior to deletion are retained for ongoing research purposes. Because these outputs do not contain personal data attributable to any individual, they cannot be recalled as part of account deletion and fall outside the scope of GDPR's right to erasure (Art. 17).

8. How do we keep your information safe?

We implement technical and organisational security measures appropriate to the sensitivity of the personal data we process, including:

• Encryption in transit and at rest: All data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest using AES-256 encryption

• Access controls: Personal health data is accessible only to Chronicare personnel with a documented legitimate need, governed by internal access control policies and access logging

• Infrastructure: We host data in secure data centres within the European Economic Area

• Pseudonymization: We apply pseudonymization techniques internally when processing health data to limit exposure in the event of a security incident

• Incident response: We maintain a data breach incident response plan and will notify Datatilsynet within 72 hours of becoming aware of a personal data breach, and notify affected users without undue delay where required by law

No system is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security of data transmitted over the internet. We recommend using a strong, unique password and keeping your device software up to date.

9. International transfers

Chronicare is operated by a Danish company and processes your data primarily within the European Economic Area. Your primary data is hosted on Supabase servers in Frankfurt, Germany.

Some of our service providers are incorporated outside the EEA. Where personal data is transferred to a country that does not offer an equivalent level of data protection under EU law, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional technical and organisational safeguards.

You can request information about our transfer mechanisms or copies of any SCCs we have in place by contacting us at info@chronicare.io.

10. What are your privacy rights?

As a user in the European Economic Area, you have the following rights under GDPR:

Effect of withdrawing consent: Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal. Withdrawing Layer 2 (Research Programme) consent has no effect on your app experience. Withdrawing Layer 1 (essential processing) consent requires account closure, as processing is necessary for service provision.

Marketing opt-out: You can unsubscribe from any marketing communications at any time by clicking the unsubscribe link in any email we send.

Response times: We aim to respond to all data rights requests within 30 days. For complex requests, this period may be extended by up to two additional months, in which case we will notify you within the initial 30-day period.

Right to lodge a complaint: If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the relevant supervisory authority.

For users in the European Economic Area, the lead supervisory authority is:

Datatilsynet (Danish Data Protection Authority)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
dt@datatilsynet.dk   |   +45 33 19 32 00   |   www.datatilsynet.dk

For users in the United Kingdom, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.

11. Do we collect information from minors?

Chronicare is available to users aged 16 and over. We do not knowingly collect personal data from anyone under 16. We operate a three-tier age model:

Users aged 18 and over may access all app features, including the optional Research Programme (see Section 3).

Users aged 16–17 may access all app features. The Research Programme is not available to users under 18. Users in this group manage their own accounts and give consent in their own right, consistent with GDPR Article 8 and Danish data protection law.

Users under 16 may use Chronicare through a parental or guardian proxy account. In this model, the parent or guardian is the account holder and the consenting party. The child is the data subject. Data subject rights for proxy accounts are exercised by the parent or guardian on behalf of the child until the child reaches the age at which they may act independently under applicable law. At the start of registration, the parent or guardian completes a separate explicit declaration confirming that they are creating and will manage the account on behalf of their child, and that they accept responsibility for all consents made within the account. All subsequent consents, including essential health data processing and terms of service, are given by the parent or guardian in their proxy capacity. The Research Programme is not available for proxy accounts.

Age is confirmed by self-declaration at registration via date of birth entry. Parental or guardian status is similarly confirmed by self-declaration. Where a user provides false information about their age or parental status, responsibility for that misrepresentation rests with the person who provided it.

If you believe a user under 16 has registered without parental proxy, please contact us immediately at info@chronicare.io. Upon verification, we will deactivate the account and delete associated personal data without undue delay.

12. Do we make updates to this policy?

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services.

When we make material changes, particularly changes that affect how we process your health data, we will:

• Update the "Last updated" date at the top of this policy

• Notify you within the app or by email at least 30 days before changes take effect

• Where a change affects the legal basis on which we process your data, ask for your renewed consent before the change takes effect

We encourage you to review this policy periodically. The current version is always available at https://chronicare.io/privacy-policy

13. How can you contact us?

For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

ChroniCare ApS
Frederiksholms Kanal 30
1220 København, Denmark
Email: info@chronicare.io

We aim to respond to all privacy-related inquiries within 5 business days and to fulfil all data subject rights requests within 30 days (extendable by two months for complex requests, with prior notice).

14. How can you access, update, or delete your data?

The fastest way to exercise your data rights is directly within the app:

• Export your data: Settings → Privacy → Export my data

• Update your consent: Settings → Privacy → Update my privacy choices

• Delete your account: Settings → Account → Delete account

For any data rights request that cannot be fulfilled within the app, contact us at info@chronicare.io.

15. Glossary

Chronicare is a symptom tracking and community platform for people living with chronic health conditions. It is not a medical device and does not provide medical advice, diagnosis, or treatment. Always consult your healthcare team regarding your condition and medications.