Privacy Policy

By accessing and using our services, you agree to our comprehensive terms of use, which ensure fair and safe use.

nyra health GmbH - myReha App & nyra insights Plattform

Stand: Dezember 2025

‍

The protection of your personal data is of particular concern to us. We process your data exclusively on the basis of the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

With this privacy policy, we inform you in accordance with Articles 13 and 14 of the GDPR about the nature, scope, and purpose of the processing of personal data in connection with the use of the myReha app & nyra insights platform.

§ 1 Responsible party and data protection officer

1.1 Responsible party

The responsible party for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

nyra health GmbH
Salzgries 19/3+4
1010 Vienna, Austria
E-Mail: info@nyra.health

1.2 Data Protection Officer

Our Data Protection Officer is:

Mr. Moritz Schöllauf
Salzgries 19/3+4
1010 Vienna, Austria
E-Mail: info@nyra.health

1.3 Data protection responsibility by user type

Data protection responsibility varies depending on the usage type:

Usage type	Responsible party	Processor
Clinic user (B2B)	Clinic	nyra health
DRV-user	nyra health	–
Insurance user	nyra health	–
Self-payer	nyra health	–

Depending on the nature of the use, nyra health GmbH processes personal data either as a processor in accordance with Art. 28 GDPR or as an independent controller in accordance with Art. 4(7) GDPR.

If nyra health GmbH processes personal data on behalf of clinics, hospitals, or other service providers, this is done exclusively on the basis of a data processing agreement in accordance with Art. 28 GDPR.

§ 2 Categories of personal data

2.1 Registration data

During registration, we collect:

First and last name
Email address
Date of birth
Gender
Country (Germany, Austria, Switzerland, or other)
Username and password (encrypted)
Time of registration

2.2 Insurance data

Depending on the country and payor:

Name of health insurance company
Health insurance number (only if costs are covered)

2.3 Health data (special categories pursuant to Art. 9 GDPR)

Primary diagnosis (e.g., stroke), including subtypes and details
Self-assessment of speech and cognitive impairments

2.4 Usage and therapy data (special categories pursuant to Art. 9 GDPR)

Activity time per task
Error rates and response times
Adherence to therapy and exercise intensity
Therapy progress and advancement

2.5 Voice recordings

Audio files are recorded during certain exercises (articulation, word retrieval, sentence formation). These recordings are:

used to analyze and improve your individual therapy
stored and transmitted in encrypted form
made available to the supervising specialist staff via nyra insights

To improve our services and train our AI models, voice recordings are used exclusively in anonymized form so that no conclusions can be drawn about individual persons.

2.6 Technical usage data

IP address
Log files
Time and duration of use

§ 3 Purpose of data processing

Provision and operation of the app
Implementation of speech, memory, and cognitive exercises
Individualization and optimization of therapeutic content
Analysis of therapy progress
Improvement of app functionality
Customer and user management
Security and abuse prevention (e.g., with regard to access to user accounts)

§ 4 Legal basis for processing

Your data is processed on the following legal bases:

The processing of special categories of personal data within the meaning of Art. 9 GDPR (in particular health data) is carried out exclusively on the basis of consent in accordance with Art. 9 (2) (a) GDPR. In cases where nyra health GmbH acts as a processor for hospitals, therapy centers, etc., the consent of patients for the processing of sensitive data pursuant to Art. 9 (2) (h) GDPR is obtained by these hospitals, therapy centers, etc. as controllers.

In contrast, the processing of other personal data of users/patients is based on the legal basis of Art. 6 (1) (a), (b), and (f) GDPR:

Purpose of processing	Legal basis	Explanation
Contract fulfillment (therapy)	Art. 6(1)(b), Art. 9(2)(a) GDPR	Healthcare
Settlement with payors	Art. 6(1)(b), Art. 9(2)(a) GDPR	Contractual obligation
Product improvement/analytics	Art. 6(1)(f) GDPR	Legitimate interest
Marketing/Newsletter	Art. 6(1)(a) GDPR	Consent
AI training (anonymized)	Art. 6(1)(f) GDPR	Legitimate interest (anonymous data)

Data category	Legal basis
Registration and contact data	Art. 6(1)(b), Art. 9(2)(a) GDPR
Contract and billing data	Art. 6(1)(b), Art. 9(2)(a) GDPR
Health and therapy data	Art. 9(2)(a) GDPR
Voice recordings	Art. 9(2)(a) GDPR
Usage and interaction data	Art. 6(1)(b) GDPR
Marketing and communication data	Art. 6(1)(f) GDPR

Only anonymized or aggregated data is used for product improvement, statistical analysis, and AI training purposes. Re-identification of individual users is impossible. This data is no longer subject to the GDPR.

§ 5 Recipients and processors

5.1 Overview of processors

We use the following service providers as processors:

Google Firebase

Purpose: Hosting, database, authentication
Server location: Frankfurt, Germany (EU)
Data categories: All user data
Legal basis: Art. 6(1)(b), Art. 9(2)(a), Art. 28 GDPR (data processing agreement concluded)
Data privacy: https://firebase.google.com/support/privacy

HubSpot

Purpose: CRM, email communication, marketing
Server location: Frankfurt, Germany
Data categories: Name, email, telephone number, interaction data
Legal basis: Art. 6(1)(f) GDPR, Art. 28 GDPR (data processing agreement)
Data privacy: https://legal.hubspot.com/privacy-policy

RevenueCat

Purpose: Management of in-app subscriptions
Server location: USA; data transfer secured by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
Data categories: Subscription data, transaction IDs
Legal basis: Art. 6(1)(b) GDPR

Amplitude

Purpose: Product analytics, usage statistics
Server location: USA; data transfer secured by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and DPF certification
Data categories: Anonymized usage statistics, feature interactions, session data (no health data)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Privacy policy: https://amplitude.com/privacy

5.2 Data transfer to third parties

Personal data is transferred to the following recipients:

Hospitals and therapists: For clinic users and DRV users for therapy care (legal basis: Art. 9(2)(a) GDPR)
Health insurance companies: Billing data for insurance users (legal basis: Art. 6(1)(b) GDPR)
German Pension Insurance: Therapy records for DRV users (legal basis: Art. 6(1)(b) GDPR)

5.3 Third-country transfer

When using service providers based outside the European Economic Area (EEA), we ensure that your data is adequately protected by means of appropriate safeguards. These safeguards include:

EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
EU-U.S. Data Privacy Framework (DPF) for certified U.S. companies
Transfer Impact Assessments (TIA) to evaluate the level of protection

§ 6 Retention periods

We only store your data for as long as is necessary for the respective purposes or as long as there are legal retention obligations:

Data category	Retention period	Legal basis
Account data (when actively used)	Duration of the contractual relationship	Art. 6(1)(b) GDPR
Therapy/health data	10 years after the end of therapy	§ 630f BGB (documentation requirement)
Voice recording	10 years after the end of therapy	§ 630f BGB
Billing data	10 years	§ 147 AO, § 257 HGB
Analytics data	26 months	Art. 6(1)(f) GDPR
Data after account deletion	Immediate anonymization	Art. 17 GDPR

§ 7 Your rights as a data subject

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You can request information about the data stored about you.
Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
Right to erasure (Art. 17 GDPR): You can request the erasure of your data, provided that there are no legal retention obligations to the contrary.
Restriction of processing (Art. 18 GDPR): You can request the restriction of the processing of your data.
Data portability (Art. 20 GDPR): You can receive your data in a structured, commonly used format.
Right to object (Art. 21 GDPR): You may object to the processing of your data if it is based on legitimate interest.
Withdrawal of consent (Art. 7(3) GDPR): You may withdraw your consent at any time with effect for the future.

To exercise your rights, please contact: info@nyra.health

§ 8 Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Website: www.dsb.gv.at

§ 9 Data security

We use extensive technical and organizational measures (TOMs) to protect your data:

Encryption: SSL/TLS encryption during data transmission, AES-256 during storage
Access control: Role-based access rights, two-factor authentication
Logging: Audit logs for security-related events
Backup: Regular data backups with encrypted storage
Certifications: ISO 13485 (medical device quality management), ISO 27001 (information security)

§ 10 Automated decision-making and profiling

We use machine learning to provide personalized therapy content. This automated processing is intended solely as a support tool and does not replace human decision-making. The treating specialist always retains control over the therapy plan and can adjust or override the system's recommendations.

§ 11 Changes to this privacy policy

We reserve the right to amend or update this privacy policy as necessary to keep it up to date. We will notify you of any significant changes by email or via a notification in the app. The latest version is available on our website.

§ 12 Contact

If you have any questions about data protection, please contact us at:

nyra health GmbH
Salzgries 19/3+4
1010 Vienna, Austria
E-Mail: info@nyra.health
Website: https://www.nyra.health