Privacy Policy

MyHealthFriend (MHF)

CHU Nice (hereinafter “we”, “our” or “CHU Nice”) provides the MyHealthFriend application (the “Application”) as part of a digital health program aimed at supporting users in managing and improving their physical and mental well-being. The Application is intended for use by citizens of the France–Italy cross-border region in a non-medical context, offering functionalities to monitor general health and well-being through initial assessments and periodic evaluations across different axes such as nutrition, physical activity, sleep, and stress.

The Application was developed to enable users to track their progress on these well-being dimensions while receiving personalized recommendations based on their questionnaire responses and the data collected. The Application does not replace medical advice and is not intended to diagnose or treat any medical condition. It provides general well-being guidance and assists users in pursuing their goals according to their profile and progress.

The Application has been developed in partnership with Kyomed Innov and MedClinik SAS, a subsidiary of 360Medlink Inc., which is responsible for technical development and the secure hosting of data.

When using the Application, the user is invited to create a profile by providing basic information such as age, sex, and other relevant details for well-being tracking. The user then completes an initial assessment evaluating lifestyle habits through questionnaires. Based on the obtained results, recommendations are provided to improve nutrition, physical activity, sleep, and mental well-being. Regular follow-up assessments are proposed to measure the progress achieved by the user.

The collected and analyzed information is used to personalize recommendations and monitor user progress. All personal data are processed in accordance with applicable regulations, in particular the General Data Protection Regulation (GDPR). No sensitive data will be transmitted to third parties without the user’s explicit consent. Some well-being data may be regarded as sensitive if they allow inference of a person’s state of health. Such data are therefore processed with a high level of protection, under pseudonymization, and on the legal basis of public interest in the area of health (Article 9(2)(h) GDPR), even when their use does not have a direct medical purpose.

This Privacy Policy aims to clarify how MyHealthFriend collects, uses, shares, and protects users’ personal data and to inform you of your rights regarding your personal information.

Scope of this Data Privacy Policy

This data privacy policy specifies which categories of (“User Data”) are collected, how they are used and shared by the Application and its associated services (the “Services”), and what rights users have in this regard.

Data Controller

CHU Nice is the controller of the personal data collected through the Application. CHU Nice has appointed a Data Protection Officer (DPO), who can be contacted at dpo@chu-nice.fr for any questions relating to the protection of personal data.

Categories of User Data Processed

The following categories of user data are processed within the MyHealthFriend Application:

Data Provided by the User

Profile Information: such as the user’s email address, age, sex, weight, and height.
Well-being Data: information on the user’s dietary habits, physical activity, sleep quality, and stress level, collected through assessment questionnaires.
Interactions: any other information the user voluntarily provides, such as questionnaire responses, well-being pathway data, or communications with our support team.

Data Collected Automatically

Connection Data: device type, operating system version, and device language.
Usage Statistics: interactions with Application features, frequency of use, and session duration.
Performance Data: Application errors or abnormal behaviors.

These data help us improve service quality, understand Application usage, and personalize the user experience.

User Data are processed by MedClinik SAS as necessary to securely activate user accounts in the Application, as well as for hosting, maintenance, and provision of MyHealthFriend in accordance with the purposes described above and in compliance with data processing agreements with CHU Nice and their respective instructions (Article 28(1) GDPR).

However, only aggregated or pseudonymized Usage Data are accessible and processed directly by our teams, under the subcontracting agreement concluded with Kyomed Innov and MedClinik SAS. Personal data (identifiable or sensitive) are processed exclusively by Kyomed Innov and MedClinik SAS acting as processors on behalf of CHU Nice. For the purposes of this Privacy Policy, the following data protection information is limited to the categories of Usage Data defined below in Section 4.

Purposes and Legal Basis for Processing Usage Data

We will process Usage Data only for the following purposes and legal bases, limited to what is strictly necessary to achieve these objectives:

Type of Data Category	Purpose of Processing	Legal Basis
Usage Data – Event Name (type of user action triggered in MyHealthFriend, e.g., login, assessment submission, goal creation, or viewing a recommendation)	Track and measure Application usage to collect KPI/usage metrics; assess aggregated KPIs to improve features and optimize personalization of well-being recommendations; optimize the user interface to enhance engagement and effectiveness of recommendations.	Legitimate Interest in optimizing the Application’s features and usability (Article 6(1)(f) GDPR)
Timestamps (time when a specific event occurred in MyHealthFriend)	Analyze interaction frequency such as number of logins or completed assessments; identify usage peaks and low-engagement periods to optimize user experience and notification campaigns.	Legitimate Interest in improving Application performance and efficiency (Article 6(1)(f) GDPR)
User Identifier (encrypted ID linking events and timestamps)	Ensure traceability and security of user interactions; document consent provision, acceptance of Terms of Use, and privacy-management actions.	Contract Necessity (Article 6(1)(b) GDPR); Legal Obligation related to consent management (Article 6(1)(c) GDPR)
Connection Data (device type, OS version, device language)	Ensure Application compatibility across systems; adapt user interface and language personalization according to device used.	Legitimate Interest to ensure performance and compatibility (Article 6(1)(f) GDPR)
Performance Data (Application errors, abnormal behaviors)	Identify and fix technical errors or abnormal behaviors to ensure proper functioning; improve overall stability and performance by analyzing reported incidents.	Legitimate Interest to guarantee a stable and smooth user experience (Article 6(1)(f) GDPR)

The information is also used to generate anonymous and aggregated reports on Application usage. These reports allow evaluation of service efficiency without compromising your identity.

Tracking Technologies

When users launch and use MyHealthFriend, information about their use of the Application is collected through built-in tracking technologies. These tracking tools are used to provide a user-friendly and secure Application, correct potential bugs, and continuously improve the functionalities of MyHealthFriend, including support for users in managing their well-being and health.

The tracking technologies used in MyHealthFriend are either functional or analytical (optional). These technologies are integrated directly within MyHealthFriend and do not involve the use of cookies.

We use tracking technologies to measure certain key performance indicators (KPIs) relating to the use of MyHealthFriend. These indicators may include, for example:

Number of active users / registrations
Number of sessions over a specific period
Most frequently used parts of the Application per session
Frequency of use of certain specific features

These indicators are derived from the Usage Data described in this Privacy Policy.

The purpose of measuring these KPIs is to monitor and evaluate the use of MyHealthFriend in aggregated form (which does not allow personal identification). Such aggregated information enables us to improve the user experience, optimize Application features, and better respond to user needs.

The information collected is stored permanently within MyHealthFriend and transmitted to us only in aggregated form. It will not be shared with third parties and is used solely to optimize the quality and performance of the Application.

As mentioned in the section concerning user rights, users have the right to object to this processing based on legitimate interests. For more details on exercising this right, please refer to the “User Rights” section below.

Profiling and Automated Decision-Making

Within the framework of the MyHealthFriend Application, certain data provided by users, including information derived from questionnaires and follow-up assessments, may be processed in order to establish a well-being profile and to deliver personalized recommendations. This processing may involve forms of profiling as defined by Article 4(4) of the GDPR.

The purpose of such profiling is strictly limited to the provision of individualized guidance relating to nutrition, physical activity, sleep, and stress management, and to adapt the content and follow-up actions to the user’s profile and objectives. This profiling does not produce legal effects concerning the user, nor does it similarly significantly affect them within the meaning of Article 22 of the GDPR.

Users have the right to object at any time to profiling carried out on the basis of legitimate interests, in accordance with Article 21 of the GDPR. In the event of objection, certain personalized functionalities may be limited, but the core services of the Application will remain accessible.

Who Has Access to Usage Data?

In general, MyHealthFriend Usage Data are accessible only to the following persons or entities:

MedClinik SAS development and technical-support teams: these teams access the data to maintain the Application, correct bugs, and optimize performance.
Clinical team: to monitor user progress as part of therapeutic guidance or well-being follow-up, under strict confidentiality conditions.

Usage Data shared with third parties—such as research partners or for publication of results (reports or press releases)—are always provided in aggregated and anonymized form. This means the data are presented so that no specific user can be identified.

In specific situations, to protect our legal interests or those of third parties and to assert legitimate rights, Usage Data may be transmitted to competent authorities or courts. This includes cases where there are reasonable suspicions of serious legal violations or breaches of MyHealthFriend’s Terms of Use.

Will Usage Data Be Transferred Abroad?

MyHealthFriend Usage Data are primarily processed and hosted in France and Italy, as well as in other countries within the European Union (EU) or the European Economic Area (EEA). We ensure that all servers used for hosting the Application are located within the EU, thereby guaranteeing full compliance with European data-protection laws. Data are hosted on HDS-certified (Health Data Hosting) servers in accordance with Article L1111-8 of the French Public Health Code, which ensures a high level of security and confidentiality for health-related data.

If, for operational or technical reasons, any Usage Data must be transferred outside the EU or EEA, we will ensure that such transfers are carried out in full compliance with applicable data-protection legislation. In particular, we will ensure that the recipient provides an adequate level of protection, either through:

An adequacy decision adopted by the European Commission, confirming that the recipient country offers a level of protection essentially equivalent to that of the EU; or
The implementation of Standard Contractual Clauses (SCCs) approved by the European Commission. These are contractual provisions that legally oblige the data recipient to comply with EU data-protection standards and to provide appropriate safeguards for the transferred data. Where necessary, these clauses may be supplemented by additional technical and organizational measures to ensure an equivalent level of protection, in accordance with the requirements established by the Court of Justice of the European Union (Schrems II).

These measures guarantee that, even in the case of international transfers, MyHealthFriend users’ data benefit from the same level of protection as within the EU.

How Long Is Usage Data Retained?

MyHealthFriend Usage Data are retained only for the time necessary to achieve the purposes described in Section 4 of this Privacy Policy. To determine the appropriate retention period, several factors are taken into account, including:

The type, scope, and confidentiality level of the collected data;
The potential risk of harm from unauthorized use or disclosure;
The purposes for which Usage Data are processed and whether these purposes can be achieved by other means, such as anonymization;
Any relevant legal or regulatory requirements.

As a general rule, Usage Data are retained as long as the user has an active MyHealthFriend account and continues to use the Application. In some cases, these data may be kept in anonymized form even after the user stops using MyHealthFriend, for the purpose of aggregated and anonymized service analysis and improvement.

User Rights Regarding Data Processing

In accordance with the General Data Protection Regulation (GDPR), MyHealthFriend users have specific rights concerning the processing of their Usage Data. These rights ensure transparency and full control over the use of personal data. They include:

Right of Access (Article 15 GDPR): users may request confirmation as to whether their personal data are being processed and obtain access to such data, including details on the type of data collected and the purpose of processing.
Right to Rectification (Article 16 GDPR): users may request correction or completion of incomplete or inaccurate data about them.
Right to Erasure (Article 17 GDPR): under certain conditions, users may request deletion of all or part of their personal data, particularly when the data are no longer necessary for the purposes for which they were collected, when consent has been withdrawn, or when processing is unlawful.
Right to Restriction of Processing (Article 18 GDPR): users may, in certain cases, request limitation of processing—for instance, when the accuracy of the data is contested, when processing is unlawful, or when the data are no longer needed but must be kept for legal defense.
Right to Data Portability (Article 20 GDPR): users may request, under specific conditions, that their personal data be provided in a structured, commonly used, and machine-readable format, and may transfer such data to another controller.

In addition, users may file a complaint with us and / or with the competent data-protection authority.

The above rights can be exercised via the contact details provided in Section 10 below. We reserve the right to verify requests and, if necessary, request proof of identity in order to protect user privacy.

Contact for Questions and Data-Subject Rights

Entity	Address	Contatto
Ospedale universitario di Nizza	30 Voie Romaine, 06000 Nizza, Francia	dpo@chu-nice.fr

Updates to This Privacy Policy

We review this Privacy Policy regularly and reserve the right to update it from time to time. In the event of significant changes that may impact the processing of Usage Data, users will be informed through a notification within the Application.

Consent to the applicable version of this Privacy Policy is explicitly collected, and proof of consent is recorded and timestamped in accordance with Article 7 GDPR, ensuring traceability and validity of the consent provided.

This Data Privacy Policy was last updated on October 8, 2025.