← Back to Homepage
onclick="localStorage.setItem('lang-pref','1')" πŸ‡¦πŸ‡ΉπŸ‡©πŸ‡ͺ Deutsch onclick="localStorage.setItem('lang-pref','1')" πŸ‡¬πŸ‡§ English

Privacy Policy

Last updated: May 2026 Β· In accordance with the GDPR and the Austrian Data Protection Act (DSG)

1. Data Controller

PCM Solution GmbH
Kohlerweg 155
5531 Eben im Pongau
Austria
Email: Contact Form
Website: https://www.phe-buddy.at

2. Types of Data Collected

2.1 Health Data (Apple Health / Google Health Connect)

With your explicit consent, we process the following health data:

  • Body weight and height
  • Phenylalanine (PHE) daily values and entries
  • Steps and physical activity
  • Heart rate and heart rate variability (HRV)
  • Sleep data
  • Calorie consumption and distance
  • Medication reminders

This data is used exclusively to calculate your daily PHE limit, evaluate your nutrition, and display your wellbeing.

Health and fitness data collected via Apple HealthKit or Google Health Connect is used exclusively to provide app functionality. This data will never be used for advertising, marketing, user tracking, or sold to third parties. Data is only shared with third parties with your explicit consent or as required by law.

2.2 Device Data

We collect the following technical data during app installation and use:

  • Device ID (anonymized)
  • Operating system and version (iOS / Android)
  • Device model and manufacturer
  • App version and WebView version
  • IP address (for security and fraud prevention)
  • Approximate location (country, city) based on IP address

2.3 Usage Data

  • Recorded PHE entries and food data
  • Medication plans and reminder settings
  • Weight history
  • Push notification token
  • First name, last name and email address (for support and communication)

3. Website phe-buddy.at β€” Hosting & Tracking

3.1 Hosting (All-Inkl.com)

The website phe-buddy.at is hosted by ALL-INKL.COM – Neue Medien MΓΌnnich, Hauptstraße 68, 02742 Friedersdorf, Germany. Each time the website is accessed, the following data is automatically collected and stored in server log files:

  • IP address (anonymized)
  • Date and time of access
  • URL accessed
  • Browser type and version
  • Operating system
  • Referrer URL

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website). Privacy policy: https://all-inkl.com/datenschutzinformationen/

3.2 Cookies

Our website uses cookies β€” small text files stored in your browser. We distinguish between:

  • Technically necessary cookies: Required for the operation of the website (e.g. storing your cookie consent). Legal basis: Art. 6(1)(f) GDPR.
  • Analytics and marketing cookies: Only set after your explicit consent. Legal basis: Art. 6(1)(a) GDPR.

You can withdraw your cookie consent at any time via the cookie banner or delete and block cookies in your browser settings.

3.3 Google Tag Manager

We use the Google Tag Manager by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Google Tag Manager itself does not process any personal data β€” it solely serves to manage and deploy other tracking tools. The activation of the following services only takes place after your consent via the cookie banner. Privacy policy: https://policies.google.com/privacy

3.4 Google Analytics 4

With your consent, we use Google Analytics 4 (GA4) by Google Ireland Limited to analyse user behaviour on our website. GA4 collects, among other things:

  • Pages visited and time spent
  • Source of visit (referrer, campaign)
  • Device and browser information
  • Approximate location (country/city, based on anonymized IP)
  • Interactions (clicks, scroll behaviour, form completions)

IP addresses are anonymized by default. Data is processed on EU servers. Legal basis: Art. 6(1)(a) GDPR (consent). You can disable Google Analytics data collection via the browser add-on: https://tools.google.com/dlpage/gaoptout

3.5 Meta Pixel (Facebook Pixel)

With your consent, we use the Meta Pixel by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. The Meta Pixel enables measurement of advertising performance on Facebook and Instagram as well as the creation of audiences for remarketing. The following data is processed:

  • Pages visited and actions taken on the website
  • Device and browser information
  • Anonymized IP address

Meta may link this data to your Facebook account if you are logged in. Legal basis: Art. 6(1)(a) GDPR (consent). Privacy policy: https://www.facebook.com/privacy/policy/

3.6 Unifyr Analytics Pixel

We use Unifyr Analytics, a web analytics service by Agentur Circle GmbH, on our website. The Unifyr pixel collects anonymized usage data to analyse website traffic. Data is processed exclusively on European servers and is not shared with third parties. The Unifyr pixel is loaded independently of your cookie consent, as it does not process personal data within the meaning of the GDPR. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymous website analysis).

4. Processing of Special Categories of Personal Data (App)

PHE Buddy processes health data in accordance with Art. 9 GDPR. This is done exclusively on the basis of your explicit consent and for the purpose of healthcare provision.

Phenylketonuria (PKU) is a metabolic disorder. The processing of the associated nutritional and health data serves exclusively your personal healthcare and the management of your PKU condition.

5. Purposes of Data Processing

  • Calculation and monitoring of your daily PHE limit
  • Recording and evaluation of meals and food items
  • Medication reminders and health tracking
  • Weight monitoring and PHE limit adjustment
  • Sending push notifications for relevant events
  • Sending update and service communications by email
  • Sending marketing emails (only with your consent)
  • Technical operation and security of the app
  • Customer support via the ticketing system

6. Legal Bases for Processing

Consent (Art. 6(1)(a) GDPR): Processing of health data, push notifications, camera and microphone access, and marketing emails.

Contract performance (Art. 6(1)(b) GDPR): Provision of app functions, user account and customer support.

Legitimate interests (Art. 6(1)(f) GDPR): App security, fraud prevention, technical operation, service communications and updates.

7. Device Permissions

6.1 Camera and Photo Library

PHE Buddy requires access to your camera and photo library to take and upload photos of food. Photos taken are stored encrypted on our servers and used exclusively for food recognition.

6.2 Microphone

Microphone access is used for the optional voice input when logging food. Audio recordings are not stored permanently and are only used for the immediate processing of voice input.

6.3 Biometric Authentication

PHE Buddy supports Touch ID, Face ID and fingerprint sensors for secure login. Biometric data is processed exclusively locally on your device and is never transmitted to our servers.

6.4 Push Notifications

With your consent, we send you push notifications for the following events:

  • PHE warning at 80% of the daily limit
  • PHE warning when the daily limit is exceeded
  • Reminder for forgotten entries
  • Medication reminders
  • Weight reminders

You can disable push notifications at any time in the app settings or in your device's system settings.

6.5 Apple Health / Google Health Connect

Access to Apple Health and Google Health Connect is only granted with your explicit consent. You can revoke access at any time:

  • iOS: Settings β†’ Privacy β†’ Health β†’ PHE Buddy
  • Android: Settings β†’ Apps β†’ Health Connect β†’ PHE Buddy

8. Data Sharing with Third Parties and Data Processing Agreements

We do not share your personal data with third parties except in the following cases. Data processing agreements in accordance with Art. 28 GDPR exist with all processors.

7.1 PCM Holding GmbH β€” IT Infrastructure

PCM Holding GmbH acts as a data processor responsible for the IT infrastructure of PHE Buddy. The following data is transmitted: first name and last name, email address, and technical infrastructure data. Processing is based on a DPA in accordance with Art. 28 GDPR.

7.2 PCM Holding GmbH β€” Ticketing System

For customer support we use a ticketing system provided by PCM Holding GmbH. The following data is processed: first name, last name, email address, content of the support request and the communication history. Legal basis: contract performance (Art. 6(1)(b) GDPR).

7.3 Agentur Circle GmbH β€” Marketing and SALES Hub

For marketing communication and update information we use the SALES Hub of Agentur Circle GmbH. First name, last name and email address are processed. The following are sent:

  • Update notifications about new app features (legitimate interest, Art. 6(1)(f) GDPR)
  • Important service communications (legitimate interest, Art. 6(1)(f) GDPR)
  • Marketing emails (only with your explicit consent, Art. 6(1)(a) GDPR)

You can unsubscribe from marketing emails at any time via the unsubscribe link in the email or in the app settings under Settings β†’ Notifications β†’ Email.

7.4 Firebase (Google LLC)

For push notifications we use Firebase Cloud Messaging by Google LLC, USA. Google is certified under the EU-US Data Privacy Framework.
Privacy policy: https://policies.google.com/privacy

7.5 Apple Push Notification Service (APNs)

For push notifications on iOS devices we use APNs by Apple Inc., USA.
Privacy policy: https://www.apple.com/privacy/

7.6 Hetzner Online GmbH β€” Hosting

Server hosting in Germany, ISO 27001 certified.
Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz

7.7 SysEleven GmbH β€” Hosting

Server hosting exclusively in Germany, ISO 27001 and BSI IT-Grundschutz certified.
Privacy policy: https://www.syseleven.de/datenschutz/

7.8 Mittwald CM Service GmbH & Co. KG β€” AI Services

AI services, processing exclusively on servers in Germany.
Privacy policy: https://www.mittwald.de/datenschutz

7.9 OpenAI β€” AI Image Processing (Failover)

For AI-assisted image processing as a failover. OpenAI processes only uploaded images β€” no further personal data. Certified under the EU-US Data Privacy Framework, transfer based on standard contractual clauses (Art. 46 GDPR).
Privacy policy: https://openai.com/privacy

7.10 IP Address Geolocation

For geographic classification of the IP address we use ip-api.com. No personal data is stored permanently at the service provider.

9. Retention Periods and Anonymization

  • Health and PHE data: Until deletion of the user account
  • Device data: 12 months after last app use
  • Push tokens: Until logout or token renewal
  • IP addresses: 30 days (security log)
  • Offline cache on device: Until app uninstallation

8.1 Anonymization After Account Deletion

After deletion of your user account, all personal data will be irreversibly deleted. Certain data will be fully anonymized prior to deletion and used in this form:

  • PHE entries and food data β€” for statistical analysis
  • Aggregated usage data β€” for improving app features
  • Anonymized health data β€” for improving AI features

Anonymization is carried out according to the state of the art so that no conclusions about your identity are possible. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

You can object to the use of your anonymized data for training and statistical purposes at any time in the app settings under Settings β†’ Privacy β†’ Data Usage.

10. Data Security

  • Encrypted data transmission via HTTPS/TLS 1.3
  • Encrypted data storage on our servers
  • Biometric authentication (locally on your device)
  • Regular security audits
  • Access restrictions based on the need-to-know principle

11. Your Rights

Right of access (Art. 15 GDPR): You may request information about your stored data at any time.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.

Right to erasure (Art. 17 GDPR): You may request the deletion of your data ("right to be forgotten").

Right to restriction (Art. 18 GDPR): You may request the restriction of processing.

Right to data portability (Art. 20 GDPR): You may receive your data in a machine-readable format.

Right to object (Art. 21 GDPR): You may object to the processing of your data.

Withdrawal of consent (Art. 7(3) GDPR): You may withdraw your consent at any time with effect for the future.

To exercise your rights, please contact: datenschutz@pcm-group.at

12. Right to Lodge a Complaint

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Phone: +43 1 521 52-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at

13. Changes to this Privacy Policy

We reserve the right to update this privacy policy as needed. The current version is always available at https://www.phe-buddy.at/datenschutz.en.html. You will be notified of significant changes via the app.

14. Children and Minors

PHE Buddy is also aimed at children and young people with PKU. For users under the age of 16, the consent of a parent or guardian is required. Parents may request the deletion of their child's data at any time.

15. Data Protection Contact

Email: datenschutz@pcm-group.at
Website: https://www.phe-buddy.at/datenschutz.en.html

Last updated: 05.05.2026

Β© 2026 PHE Buddy