Privacy Policy Lutastic+

1. Purpose

This document represents the currently valid version of the privacy policy of the company Minze NV.

2. Privacy Policy for the Lutastic+® App

With this Privacy Policy, we want to inform you about how we process personal data. Protecting your privacy is of utmost importance to us, which is why compliance with legal data protection regulations is a matter of course for us.

Lutastic+® is used as a Digital Health Application (DiGA) for patients with lower urinary tract symptoms.

This Privacy Policy applies to the mobile iPhone and Android app Lutastic+ (hereinafter "App"). It explains the type, purpose, and scope of data collection within the scope of App use. If the App is used on non-private devices or as part of shared accounts, there is a risk of data loss or unauthorized access. We point out that data transmission over the Internet may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

2.1. Amendments to this Privacy Policy

We reserve the right to amend these data protection provisions at any time in compliance with legal requirements.

2.2. Name and Contact Details of the Controller

Minze NV
Represented by Tom Moore, CEO
Lange Gasthuisstraat 29, bus 15
2000 Antwerpen, Belgium
Email: info@minzehealth.com

2.3. Data Protection Officer

If you have questions about our data protection measures, the processing of your data, or concerning the protection of your rights as a data subject, you can reach us and our Data Protection Officer as follows:

Minze NV - DPO
Represented by Gilles Tas
Lange Gasthuisstraat 29, bus 15
2000 Antwerpen, Belgium
For all questions and concerns regarding your data, please contact dpo@minzehealth.com.

If you wish to communicate directly with our Data Protection Officer (for example, because you have a particularly sensitive concern), please contact us by email. This is the preferred method of communication. Please state in your request that your concern relates to the Lutastic+ App.

2.4. Data Collection

Various types of data are collected and processed within the scope of the application.

Personal Data

Personal data is all information about an identified or identifiable natural person.

The following data are collected for the purpose of providing access to the App and for billing purposes:

  • First and last name
  • Identification numbers (activation code, customer ID)
  • Email address
  • Date of birth
  • Address (for shipping the Diary Pod)
  • Data for login with Health ID and for writing to the electronic patient file (health insurance number, ePA document ID, ePA Home Community ID)
  • Consent logs (consent status, consent timestamp)
  • Payment data (such as account number, credit card number, bank) for self-payers/privately insured patients
  • Activation codes
  • If applicable, contents of your correspondence with Lutastic+ customer support

Health Data

The following health data are collected within the scope of the digital therapy and use of the App:

  • IPSS (International Prostate Symptom Score)
  • IPSS-QoL (IPSS Quality of Life Question)
  • ICIQ-OAB (International Consultation on Incontinence Questionnaire – Overactive Bladder)
  • PGI-I (Patient Global Impression of Improvement)
  • Number of voids
  • Number of urge episodes
  • Nocturnal frequency (Nocturia)
  • Number of incontinence episodes
  • Voided volume
  • Bladder capacity
  • Voiding time intervals
  • Number of drinks
  • Type of drinks
  • 24h fluid intake
  • 24h urine output
  • Percentage of evening drinks per 24h
  • Percentage of nocturnal urine output per 24h
  • Weight and body length
  • Smoker or non-smoker
  • Activity level
  • Medication

Other Data (Content Data)

  • Number of daily opened tips per module
  • Number of completed challenges per module
  • Status of each challenge (pending, started, completed)
  • Status of the bladder diary (pending, started, completed)
  • Status of the symptom check (pending, started, completed)
  • Tracking of user logins

2.5. Purposes of Processing

We process your data for the following purposes:

  • For the intended use of our service and therapy offering
  • For the evidence of positive care effects within the scope of a trial
  • For evidence documentation in agreements according to § 134 paragraph 1 sentence 3 of the Fifth Book of the German Social Code (regarding certain (success-dependent) billing with health insurance funds)
  • For the continuous assurance of technical functionality, user-friendliness, and the further development of the App

In the App, you may grant us the following consents:

  1. I agree to the General Terms of Use and Privacy Policy. (mandatory)
  2. I agree to the processing of my personal and health data for the purpose of the intended use of the DiGA, for the evidence of positive care effects within the scope of a trial, and for evidence documentation in agreements according to § 134 paragraph 1 sentence 3 SGB V in accordance with the Privacy Policy. (mandatory)

All consents can be withdrawn at any time.

2.6. Legal Basis

We rely on the following legal bases for the processing of your data:

For Statutory Health Insurance Patients within the Scope of DiGA

  • Your consent according to Article 6 (1) lit a GDPR for registration data
  • Article 9 (2) lit. a GDPR for health data

For Private Payers/Privately Insured Patients

  • Your consent according to Article 6 (1) lit a GDPR for registration data
  • Article 9 (2) lit. a GDPR for health data
  • The initiation or performance of a contract with you (Art. 6 (1) lit. b GDPR)

The health data serve the individual adjustment and performance of the training and thus the improvement of your health status. The data can also be used in anonymized form within the scope of demonstrating positive care effects.

2.7. Necessity or Obligation to Provide Data

Unless this is explicitly stated, providing your data is not necessary or mandatory.

Data Analysis

When you access our App, your behavior may be statistically evaluated and analyzed for the improvement and further development of our offerings. When using such tools, we ensure compliance with legal data protection regulations.

Your personal data is sent to:

Minze NV
Lange Gasthuisstraat 29, bus 15
2000 Antwerpen, Belgium

Sub Processors

When processing your data, we work with the following service providers who have access to your data:

Host Provider:

Amazon Web Services EMEA SARL (AWS)
38 Avenue John F. Kennedy,
L-1855 Luxembourg

We use the AWS service provided by Amazon Web Services EMEA SARL for data storage and the provision of our service. Therefore, we process your contact and medical data.

Billing within the Scope of DiGA is Performed by

Noventi HealthCare GmbH
Berg-am-Laim Str. 105
81673 München

We use the service of NOVENTI HealthCare GmbH for billing your entered DiGA code. All necessary data are processed in accordance with the currently valid version of the guideline of the National Association of Statutory Health Insurance Funds according to § 302 para. 2 SGB V and the associated annexes.

Further information about the provider can be found at https://www.noventi.de/datenschutz/.

2.8. Data Storage

We store your personal data, health data, and other data,

  • for the duration of the prescription. This is 365 days from the one-time prescription plus a subsequent three-month transition period (see section "Deletion and Retention Periods")
  • if you have consented to the processing, at most until you withdraw your consent
  • if we need the data for the performance of a contract, at most as long as the contractual relationship with you exists
  • if we use the data on the basis of a legitimate interest, at most as long as your interest in deletion or anonymization does not prevail
  • if legal retention obligations exist, until the end of the retention periods

Inquiries within the App (e.g., via email) are stored and processed by us, including all resulting personal data (e.g., name, request), for the purpose of processing your request. The processing of this data is based on Art. 6 (1) lit. b GDPR, provided that your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 (1) lit. a GDPR) and/or on our legitimate interests (Art. 6 (1) lit. f GDPR), as we have a legitimate interest in the effective processing of inquiries addressed to us. The data sent to us by you via contact inquiry remain with us until you request us to delete them, withdraw your consent to storage, or the purpose for data storage ceases to apply. Mandatory legal provisions – in particular legal retention periods – remain unaffected. We do not pass on your data without your consent.

2.9. Withdrawal of Consent and Deletion of Data

If you wish to withdraw your consent to data processing by Lutastic+, you can do so by withdrawing your consent to the purposes of data processing (in the section Purposes of Processing) which you gave during registration. To withdraw your consent, you can send an email to dpo@minzehealth.com.

If you withdraw your consent for the mandatory purpose of data processing, you automatically lose access to the content of Lutastic+.

If you wish to have your data stored by Lutastic+ deleted, you can send an email to dpo@minzehealth.com. When a user account is deleted, personal data are completely anonymized. Health data are retained to meet the regulatory requirements for medical devices and digital health applications. However, a personal reference is then technically no longer possible, and logging into the deleted account is no longer possible.

Your program and your data are no longer available to you from the moment of blocking. Minze NV can then no longer perform the services described in the General Terms and Conditions (GTC), can no longer establish a reference to your account for you, and can no longer track whether you used a valid activation code. Any remaining, possibly already paid usage period also expires without the possibility of crediting or reimbursement. The blocking cannot be reversed.

Before account deletion (and only before blocking), we can transfer your data to you if you send this request to dpo@minzehealth.com.

Should other legal, contractual, tax, or commercial retention obligations or other legally anchored reasons conflict with the deletion, only the prolonged blocking of your account can be carried out instead of deletion.

2.10. Deletion and Retention Periods

Uniform deletion and retention periods apply to all users:

  1. Active usage period: 365 days from entering the activation code in the App.
  2. Expiry notification: On the 365th day, the user receives information about the expiry of their activation code.

2.11. App-Stores

The App is available via distribution platforms operated by third parties, so-called App Stores (Google Play and Apple AppStore). Downloading it may require prior registration with the respective App Store and the installation of the App Store software. We have no influence on the collection, processing, and use of personal data in connection with your registration and the provision of downloads in the respective App Store and the App Store software. The operator of the respective App Store is solely responsible in this regard. Please inform yourself directly with the respective App Store provider if necessary.

2.12. Transfer to Third Countries

There is no data transfer to countries outside the European Economic Area.

2.13. Your Rights

As a data subject, you have the following rights:

  • To request information about the processing of your data, and to receive a copy of your personal data; you can request information about, among other things, the purposes of the processing, the categories of personal data that are processed, the recipients of the data (if disclosed), the duration of storage or the criteria for determining the duration
  • To receive the personal data concerning you in a structured, commonly used, and machine-readable format or to have it transmitted to another controller
  • To rectify your data; if your personal data is incomplete, you have the right to complete the data, taking into account the purposes of the processing
  • To have your data deleted or blocked
  • To have the processing restricted
  • To object to the processing of your data
  • To withdraw your consent to the processing of your data for the future
  • To lodge a complaint with the competent supervisory authority about unlawful data processing

2.14. Reporting Security Vulnerabilities

If you believe you have found a security vulnerability in the Lutastic+ App or our services, we encourage you to report it to us so we can address it. You can reach our security team in either of the following ways:

The same details are also published in machine-readable form at security.txt in accordance with RFC 9116.

2.15. Status of the Privacy Policy

We adjust the information in case of changes to our processes.

Status of this Privacy Policy: 09.02.2026

Version of this Privacy Policy: V1.0