Privacy Notice anomalie Web App

Last updated: October 2025

Introduction

Welcome to anomalie. Your privacy is a cornerstone of our service. We are committed to protecting your personal data and processing it in a way that is transparent, secure, and respectful of your rights. This Privacy Notice provides a detailed overview of our data practices. Your use of our App is subject to our Terms of Use, and the processing of your personal data is governed by the principles and legal bases described herein.

The processing of your data is carried out in strict compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Given that the core purpose of our App is to help you store and visualize your physical performance and further health data, we process data that is classified as health data under Art. 4(15) GDPR. This special category of personal data is subject to heightened protection, a responsibility we take seriously. This Privacy Notice explains the specific safeguards and legal bases we rely on to process your personal data lawfully and securely.

1. Name and Contact Details of the Controller

The controller for the processing of your personal data is 5am GmbH, Große Brunnenstraße 131a, 22763 Hamburg, Germany.

You can reach us via email: support@getanomlie.com

We have designated a data protection officer (“DPO”) who serves as an independent expert and your point of contact for all matters related to the protection of your personal data. You can reach our DPO with any questions, concerns, or requests to exercise your rights:

• By post at the address above, with the addition “Attn: Data Protection Officer”
• By Email: dpo@getanomlie.com

2. Purposes and legal bases for data processing

We process your personal data exclusively for specified, explicit, and legitimate purposes. Each processing activity relies on a valid legal basis as required by the GDPR. Due to the health-focused nature of our App, many of our processing activities depend on your explicit consent, which grants you direct control over how your personal data is used.

A. Core functionality of our App (contract performance & explicit consent)

To provide you with the full suite of services offered by our App, which includes the secure storage and visualization of your data, the processing of certain data is essential.

Data categories:

• Registration data: This includes your name and email address, which are necessary to create and identify your account, and a password.
• User-Provided Health & Fitness Data: This is the core data you entrust to us. It includes, but is not limited to: physiological metrics like VO₂max, detailed heart rate data, data on physical activities (such as type, duration, intensity, distance), and anthropometric data like body weight, height, age, and gender. It also includes any health-related information you manually enter, such as perceived exertion, wellness notes, and training logs.
• Data generated by the App: Data derived from your inputs, such as calculated metrics and visualizations presented in the App.

Purpose of processing:

• Account management: To create, secure, and maintain your user account, allowing you to access your data and our App’s services.
• Service delivery: The purpose of this processing is strictly limited to enabling the App’s core functionality: storing your data securely and visualizing your performance metrics for your personal use.
• Contract fulfillment: To fulfill our contractual obligations to you as detailed in our Terms of Use, which form the basis of our service relationship.

Legal basis:

• The processing of your non-sensitive registration data is necessary for the performance of the contract between you and us (Art. 6(1)(b) GDPR).
• The processing of your health and fitness data is based on your explicit consent (Art. 9(2)(a) GDPR). You provide this specific, informed, and unambiguous consent during the registration process through an active opt-in. Please be aware that without this consent, we cannot process your health data, and therefore the core functionality of the App cannot be provided.

B. App analytics, cookies & tracking (explicit consent)

To ensure the security, stability, and continuous improvement of our App, we would like to use cookies and analytics tools to gather insights into how our App is used.

Important note on health data: When using an application that is specifically focused on health and physical performance, even technical usage data (like your IP address, device ID, or browsing patterns within the App) can allow for inferences to be made about your health status or interests. For this reason, we treat such usage data as health data, and its collection requires your explicit consent.

Data categories:

• Technical data: IP address, device type, operating system version, browser type and version, and unique device identifiers.
• Usage data: Aggregated and pseudonymized data on how you interact with the App, such as features used most frequently, time spent on certain screens, clicks, and general navigation patterns.

Purpose of processing:

• App improvement: To analyze usage patterns in an aggregated form to understand how our App is used. For example, this helps us identify which features are most valuable, where users might be encountering difficulties, and how we can improve the overall user experience and functionality.
• System health: To ensure the technical stability and security of our platform by identifying, troubleshooting, and resolving bugs, errors, or security threats in a timely manner.

Legal basis: The processing of this data is based on your explicit consent (Art. 9(2)(a) GDPR), which you can grant and manage within the App. You will be asked for this consent separately and transparently. You have the free choice to refuse or withdraw your consent at any time through the App, without any negative impact on the core functionality of the App.

Analytics providers: Google Analytics, Sentry, Vercel Analytics, Facebook Ads Manager, TikTok Ads Manager.

C. Communication with you (consent / legitimate Interest)

When you proactively contact us, for instance via email or a contact form, we process the data you provide to handle your request effectively.

Data categories: Your name, email address, the content and metadata of your message (including date and time), and any other data you voluntarily provide.

Purpose of processing: To respond to your inquiries, provide technical or user support, and manage our communication with you. This includes answering questions about our App, assisting with account issues, or receiving feedback.

Legal basis: Depending on the context, this processing is based on our legitimate interest in providing efficient and effective customer support (Art. 6(1)(f) GDPR). If your inquiry itself contains health data, our processing of that specific information is based on your explicit consent (Art. 9(2)(a) GDPR) as described under section A above.

D. Sharing data with health professionals (explicit consent)

Our App allows you to share your health and fitness data with a health professional of your choice (e.g., your doctor, coach, or physiotherapist). This optional feature is designed to put you in full control of your data.

Data categories: You have granular control and can select precisely which of your health and fitness data, analysis reports, or time periods you wish to share.

Purpose of processing: To enable you to provide a selected health professional with secure access to your data for the purposes of independent consultation, information sharing, and/or performance coaching.

Legal basis: This sharing functionality is based on your separate and explicit consent (Art. 9(2)(a) GDPR), which you can provide within the App.

Controller roles in the sharing process:

• When you decide to use the sharing feature, we and the respective health professional act as joint controllers (Art. 26 GDPR). Our joint responsibility is strictly limited to the specific processing operation of making the data available to the health professional.
• The moment the health professional accesses your data, they become an independent controller for any subsequent processing. From this point on, we have no control over their use of your data. Their processing is governed by their own professional duties and data protection obligations.

We inform you about the essential aspects of our joint control arrangement with health professionals:

• We are responsible for providing the App as secure technical platform that allows you to initiate and control the sharing of your data.
• The health professional is responsible to process your data for the purposes of independent consultation, information sharing, and/or performance coaching.
• For the processing under joint control, we are your designated contact point. To exercise your rights concerning the data processing carried out by the health professional after they have received your data, you must contact them directly.

E. Use of data for scientific research (explicit consent)

We ask for your consent to use your data for scientific research purposes.

Data categories: Your health and fitness data.

Purpose of processing: Your data will be processed to produce an anonymized dataset from which individuals cannot be re-identified. This process involves removing direct identifiers and aggregating the data. The resulting anonymized dataset may then be used by us or shared with trusted research partners (such as universities or sports science institutes) for scientific research.

Legal basis: This processing is based solely on your separate and explicit consent (Art. 9(2)(a) GDPR). Participation is voluntary. You can withdraw your consent at any time.

F. AI-powered features (explicit consent)

Not currently active. If activated, will require your separate and explicit consent.

G. AI model training (explicit consent)

Not currently active. If activated, will require your separate and explicit consent.

3. Recipients of personal data

We only disclose your data to trusted third-party service providers (processors) when necessary for providing our services, when legally compelled to do so, or when based on your explicit consent.

Categories of recipients:

• Hosting and database providers: Vercel, Inc. (USA); Supabase, Inc. (USA)
• Payment providers: Stripe, Inc. (USA) and its European affiliates; Shopify Payments
• Analytics service providers (with consent): Google Analytics, Sentry, Vercel Analytics, Facebook Ads Manager, TikTok Ads Manager
• Legal authorities: Only if legally required

4. International data transfers

We ensure equivalent data protection outside the EU/EEA by:

• Using Standard Contractual Clauses (SCCs)
• Conducting Transfer Impact Assessments (TIAs)
• Implementing supplementary measures

5. Data retention periods

• Registration data: Deleted from production systems within 30 days after account deletion; backups retained up to 90 days.
• Health and fitness data: Deleted with account deletion.
• Server log files: Retained for 14 days.
• Data for legal obligations: Retained up to 10 years.

6. Your rights as a data subject

You have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object (Art. 21 GDPR)
• Withdraw consent (Art. 7(3) GDPR)
• Lodge a complaint with:
  Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
  Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany

7. Data Security

We implement encryption (TLS 1.2+, AES-256), strict access controls, secure development environments, incident response plans, security reviews, and staff training.

8. Changes to this Privacy Notice

We may amend this notice. Significant changes will be communicated, and renewed consent will be sought where necessary.