Terms of Service

Version 2.1 - Updated on 20 January 2026 These General Terms and Conditions ("GTC") govern the contractual relationship between the user ("User" or "Consumer") and SanoLabs GmbH, Lahnstraße 68, 65195 Wiesbaden, Germany, ("SanoLabs GmbH" or "we"). They apply to the use of our applications, websites, products, and services. The GTC are binding upon acceptance by the User. Please review them carefully prior to any use of our services. Part 1 - General Terms and Conditions I. Structure and Composition The contractual documentation consists of: 1. Part 1 - General Terms and Conditions (GTC): Definitions, scope, rights, and obligations. 2. Part 2 - General Terms and Conditions of Use (GTCU): Rules governing the operation and use of the App, Services, and Products. These documents together constitute the contractual framework between the User and SanoLabs GmbH. Your use of our Products is also subject to our Data Privacy Policy and other applicable terms. II. Definitions • App: The Sam software application (formerly Viraa) developed and operated by SanoLabs GmbH, accessible via smartphones or other compatible devices. • Consumer: Any natural person acting for purposes outside their trade, business, craft, or profession. • Contract: The contractual relationship established between SanoLabs GmbH and the User upon registration or other confirmation of consent. • Services: All digital content and connected digital health services provided by SanoLabs GmbH, including but not limited to: o Creation and maintenance of User Accounts, o Collection, storage, and analysis of personal health-related data, o Visualisation of collected data in graphical form, o Provision of recommendations or programs concerning for, amongst others, exercise, nutrition, and sleep, o Transmission of product information, company news, and marketing announcements, o Access to customer support services. • Products: All digital and non-digital goods and services provided by SanoLabs GmbH, including the App. • User Account: The personal account enabling authenticated access to the App and Services. • Visitors: Individuals who access the SanoLabs GmbH website or App without registering a User Account. III. Scope and Application 1. These GTC apply to all Products and Services offered by SanoLabs GmbH. 2. By creating a User Account, downloading the App, or otherwise using the Services, the User accepts these GTC. 3. Mandatory statutory consumer protection provisions remain unaffected. IV. Conclusion of Contract 1. Any presentation of Products or Services on the website or App constitutes a non-binding invitation to contract. 2. By completing registration or using the Services, the User makes a binding offer. The Contract is concluded when SanoLabs GmbH confirms the registration or permits access to the Services. 3. The contractual text is stored electronically by SanoLabs GmbH and transmitted to the User upon request. V. Right of Withdrawal 1. Consumers are entitled to a statutory right of withdrawal of 14 days in accordance with §§ 355–356 BGB, unless an exclusion applies. 2. The right of withdrawal is excluded where provision of digital content has commenced with the User's express consent and acknowledgement of the loss of the right of withdrawal (§ 356 Abs. 5 Nr. 2 BGB). 3. Withdrawal must be declared in text form (e.g., email to info@sanolabs.eu). VI. Contract Term and Termination 1. The Contract remains valid for the duration of use of the App, Products, or Services. 2. The User may terminate the contractual relationship at any time by sending a declaration in text form to info@sanolabs.eu. Termination shall become effective upon receipt of the notice by SanoLabs GmbH. 3. SanoLabs GmbH may terminate the contractual relationship for good cause, including but not limited to: o Serious breach of these GTC or statutory provisions by the User, o Use of the App for unlawful or abusive purposes, o Manipulation of data or technical interference. o Refusal by the User to consent to material amendments of these GTC as communicated in accordance with Section VII 4. Inactive Accounts: An account shall be deemed inactive if the User has not logged in or otherwise interacted with the App for a period of three (3) years. SanoLabs GmbH may delete inactive accounts after prior notification and a grace period of ninety (90) days. All data will then be deleted in accordance with statutory retention periods. VII. Amendments 1. SanoLabs GmbH may amend these GTC where necessary to reflect changes in legal requirements, technical developments, or minor adjustments to Services that do not materially affect the User's rights and obligations. Such amendments will be communicated to the User in text form (e.g., email, in-app notification) at least thirty (30) days before they take effect. The User may object within this period; if the User objects, either party may terminate the contract. 2. Material changes that substantially alter the contractual balance (e.g., introduction of new fees, limitations of services) require the User's express consent. Continued use of the Services without such consent does not constitute acceptance and does not create a breach; in this case, the existing contract remains in force under the old terms until the User either provides consent or SanoLabs GmbH terminates the contract in accordance with Section VI. VIII. Communications 1. SanoLabs GmbH will communicate with the User electronically (email, in-app notifications). Communications are deemed received on the day of transmission. 2. The User must ensure that the registered contact details are up to date and regularly checked. 3. Electronic records generated by SanoLabs GmbH's systems serve as evidence, subject to statutory evidentiary provisions. IX. Liability 1. SanoLabs GmbH shall be liable without limitation for intent (Vorsatz) and gross negligence (grobe Fahrlässigkeit). 2. Liability for injury to life, body, or health caused by negligence shall not be excluded. 3. In cases of slight negligence, SanoLabs GmbH shall be liable only for breaches of essential contractual obligations (Kardinalpflichten), and only for foreseeable, contract-typical damages. 4. Statutory mandatory liability (e.g., under the Produkthaftungsgesetz) remains unaffected. X. Warranty (Gewährleistung) 1. Statutory warranty rights apply to all Products and Services, unless expressly excluded where permissible by law. 2. For gratuitous Services, liability for defects is limited to intent and gross negligence. 3. Warranty periods are governed by statutory law, generally two years for Consumers. XI. Governing Law and Jurisdiction 1. These GTC are governed by the laws of the Federal Republic of Government of Germany, excluding the UN Convention on Contracts for the International Sale of Goods (CISG). 2. For Consumers resident in the European Union, mandatory consumer protection laws of their country of residence shall also apply. 3. Exclusive jurisdiction for merchants is Wiesbaden, Germany. For Consumers, statutory rules on jurisdiction apply. XII. Force Majeure SanoLabs GmbH shall not be liable for non-performance due to events beyond its reasonable control, including but not limited to natural disasters, epidemics, armed conflicts, strikes, cyberattacks, governmental actions, or supply shortages. XIII. Severability Should any provision of these GTC be held invalid, the remaining provisions shall remain enforceable. The invalid provision shall be replaced by a valid one which most closely approximates the intended economic purpose. Part 2 – General Terms and Conditions of Use (GTCU) I. Access to Services 1. The App is available via the Apple App Store and Google Play Store. The User must comply with the applicable store's terms of use. 2. SanoLabs GmbH endeavours to provide access to the Services without interruption but does not warrant continuous availability. Scheduled maintenance or unforeseen interruptions will be communicated where possible. II. User Accounts 1. Users must be at least 18 years of age. Minors may register only with verifiable parental consent in compliance with applicable law. 2. The User is responsible for the accuracy of information provided during registration. 3. The User must keep login credentials confidential and ensure secure use of the account. Any use by third parties is attributed to the User unless SanoLabs GmbH is at fault. 4. Users may delete their account at any time. SanoLabs GmbH may suspend or delete accounts for material breach or prolonged inactivity, subject to prior notice. III. Use of Services 1. Services may only be used for personal, non-commercial purposes. 2. Prohibited uses include: o Violation of applicable laws or third-party rights, o Reverse engineering, decompilation, or attempts to access source code, o Automated data collection (scraping, harvesting, crawling), o Manipulation, interference, or disruption of the App or Services, o Circumvention of security measures, o Use of the App in bad faith or for fraudulent purposes. IV. Health Disclaimer 1. The App provides lifestyle and wellness information. It does not constitute a medical device within the meaning of Regulation (EU) 2017/745 (MDR). 2. The App does not provide medical diagnosis, treatment, or replace professional medical advice. 3. Users with health concerns must seek professional medical consultation without delay. V. Intellectual Property and Licence 1. All intellectual property rights in the App, Products, and Services remain vested in SanoLabs GmbH or its licensors. 2. The User is granted a limited, non-exclusive, non-transferable licence to use the App and Services in accordance with these GTCU. 3. The licence does not entitle the User to reproduce, distribute, sublicense, resell, or combine the App with third-party software or hardware without prior written consent. VI. Updates and Third-Party Features 1. SanoLabs GmbH may provide updates, upgrades, or modifications to maintain security and functionality. Users are obliged to install such updates. 2. Features provided by third parties are subject to separate terms. SanoLabs GmbH is not liable for third-party content or malfunctions. VII. Data Handling and Account Security 1. The User is responsible for implementing adequate technical measures, such as secure passwords, device protection, and software updates. 2. Data transmission to third parties, including healthcare professionals, is at the User's risk. SanoLabs GmbH assumes no responsibility for security once the data leaves its systems. VIII. Limitations of Use 1. The App is not designed to substitute medical treatment or consultation. 2. The App may not be used in jurisdictions where such use would violate applicable law. Data Privacy Policy Version 2.2 – Updated on 8 June 2026 I. Introduction SanoLabs GmbH takes the protection of your personal data seriously. This Privacy Policy explains how we collect, process, and protect your data when you use the Sam App (formerly Viraa), our website, and related services. We comply with the EU General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz (BDSG), and other applicable data protection laws. Where relevant to cookies and similar technologies, we also observe applicable national laws implementing the EU ePrivacy rules. Marketing language has been avoided to ensure legal clarity. II. Definitions • Personal Data: Any information relating to an identified or identifiable individual (Art. 4(1) GDPR). • Health Data: Personal Data concerning health status (Art. 4(15) GDPR). Processing requires explicit consent (Art. 9(2)(a) GDPR). • Anonymised Data: Data that has been irreversibly altered so that identification of a person is impossible. Anonymised Data falls outside the scope of GDPR. • Pseudonymised Data: Data that can only be attributed to a person with additional separate information (Art. 4(5) GDPR). • Data Controller: SanoLabs GmbH, which determines purposes and means of processing. • Processor: Any external entity processing data on behalf of SanoLabs GmbH, bound by data processing agreements under Art. 28 GDPR. • Sub-Processor: A third party engaged by a Processor, with the Controller's authorisation, to carry out specific processing activities on behalf of SanoLabs GmbH. III. Sources of Personal Data We collect data in the following contexts: 1. Website visits: IP address, browser type, and usage data via cookies and similar tracking technologies (see our separate Cookie Policy). The use of non-essential cookies requires your prior consent under applicable ePrivacy rules and national law. 2. Account creation: Identity and login information (name, email address, password, date of birth). 3. Use of Services: Physiological and technical data (e.g., steps, heart rate, sleep patterns), depending on device permissions. 4. Targeted communication: User segmentation for communication preferences and advertising. Health Data is not shared with third parties for marketing purposes. 5. Support and contact: Data provided when contacting support (name, request content). 6. Research participation: Responses to questionnaires, with separate explicit consent. 7. Automatically collected data: Device identifiers, IP addresses, geolocation (if consented). IV. Legal Bases for Processing 1. Contract performance (Art. 6(1)(b) GDPR): Account creation, provision of services. 2. Consent (Art. 6(1)(a) GDPR; Art. 9(2)(a) GDPR for Health Data): Research participation, Health Data processing, marketing, data sharing with third-party AI providers (see Section VII.4), and use of non-essential cookies. 3. Legal obligation (Art. 6(1)(c) GDPR): Tax, accounting, vigilance obligations. 4. Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, IT security, and Product Improvement (see Section VII.8). For Product Improvement, we use Health Data only in anonymised or aggregated form. V. Consent and Withdrawal 1. Consent is obtained separately and explicitly for Health Data, research, marketing, data sharing with third-party AI providers, and any other processing that requires consent under applicable law. 2. Users may withdraw consent at any time with effect for the future by emailing privacy@sanolabs.eu. Withdrawal shall be as easy as giving consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. 3. For minors, parental consent is required (Art. 8 GDPR / applicable national implementing legislation). VI. Retention of Data 1. Personal Data is stored only as long as necessary for the purposes outlined, or as legally required. 2. Examples: • Support tickets: maximum 3 years, unless legal claims require longer retention. • Accounting data: 10 years (HGB/AO). • Vigilance/adverse event reports: 10 years unless longer required under medical device law. • Health Data: until account deletion or withdrawal of consent. • Data used for Product Improvement: retained only in anonymised or aggregated form once the original processing purpose has been fulfilled. 3. Backup data: Backups cannot be individually modified but are overwritten in cycles to ensure compliance. 4. Inactive accounts: Deleted after 3 years of inactivity, following 90 days' notice. VII. Data Sharing and Transfers 1. Internal sharing: Only with authorised staff bound by confidentiality obligations. 2. Processors: IT providers, hosting providers, and support partners under Art. 28 GDPR agreements. 3. Sub-Processors: We engage sub-processors to assist in the delivery of our services. We maintain an up-to-date list of all sub-processors on our website. The list identifies each sub-processor by name, the country in which it processes data, and the nature of the processing it performs. All sub-processors are bound by data processing agreements that impose obligations equivalent to those set out in our own processor agreements under Art. 28 GDPR. We keep this list current and will update it when there are changes to our sub-processors. If you have questions or concerns about a sub-processor, you may contact us at privacy@sanolabs.eu. 4. Data sharing with third-party AI providers: For certain features within the Sam App — including AI-assisted personalised insights, health recommendations, and conversational support — we share user data with third-party artificial intelligence providers. These providers currently include Google (Gemini AI). The categories of data shared may include app usage data and, where you choose to activate the relevant feature and provide explicit consent, Health Data (e.g., activity, sleep, and heart-rate metrics). This sharing is carried out on the basis of your explicit consent under Art. 6(1)(a) GDPR and, where special category data (including Health Data) is involved, Art. 9(2)(a) GDPR. Consent for this sharing is obtained separately at the point at which you activate the relevant feature. You may withdraw your consent at any time by emailing privacy@sanolabs.eu. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. 5. Third-country transfers: Where Personal Data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards in accordance with Chapter V GDPR, such as European Commission adequacy decisions or Standard Contractual Clauses (SCCs). Where third-party AI providers are located outside the EEA, the same safeguards apply. 6. Legal disclosures: Data may be shared when required by law, with prior notice to the affected user unless such notice is prohibited by law. 7. Research partners: Only anonymised or aggregated data is shared. 8. Product Improvement: We use your data to improve our products, develop new features, enhance personalisation, and conduct internal analytics and research. The legal basis for this processing is our legitimate interests in improving and developing our services under Art. 6(1)(f) GDPR. We apply privacy-preserving techniques to minimise risk, including: (a) anonymisation — removing identifiers so that data can no longer be linked to you; (b) aggregation — combining data from multiple users so that individual patterns cannot be discerned; and (c) pseudonymisation — replacing direct identifiers with artificial keys, with the re-identification key stored separately under strict access controls. For this purpose we use Health Data only in anonymised or aggregated form. You have the right to object to the use of your identifiable Personal Data for Product Improvement at any time under Art. 21(1) GDPR. To exercise this right, please email privacy@sanolabs.eu. Your decision to object does not affect your ability to use the core features of the Sam App. VIII. Security Measures 1. SanoLabs GmbH implements appropriate technical and organisational measures (Art. 32 GDPR), including encryption, pseudonymisation, access controls and security audits. 2. In case of a data breach, SanoLabs GmbH will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR). IX. User Rights Users may exercise the following rights under GDPR: 1. Right to information and access (Art. 15 GDPR). 2. Right to rectification (Art. 16 GDPR). 3. Right to erasure (Art. 17 GDPR). 4. Right to restriction of processing (Art. 18 GDPR). 5. Right to data portability (Art. 20 GDPR). 6. Right to object (Art. 21 GDPR), including: • General right to object to processing based on legitimate interests, including Product Improvement (see Section VII.8); • Absolute right to object to processing for direct marketing purposes. 7. Right to withdraw consent (Art. 7(3) GDPR). 8. Right not to be subject to automated decision-making, including profiling (Art. 22 GDPR). 9. Right to lodge a complaint with the competent supervisory authority (Landesdatenschutzbeauftragte or other competent authority in your Member State of residence or work). Requests should be sent to privacy@sanolabs.eu. Proof of identity may be required. Responses will be provided within one month, with the possibility of extension by a further two months where necessary, in accordance with Art. 12(3) GDPR. X. Automated Decision-Making SanoLabs GmbH does not use Personal Data for automated decision-making or profiling that produces legal effects or similarly significant effects within the meaning of Art. 22 GDPR. Where AI-assisted features generate personalised insights or recommendations, these are provided for informational purposes only and do not constitute automated decisions with legal or similarly significant effects. XI. Hosting and Storage 1. Health Data is stored exclusively in Europe on Google Cloud servers. 2. Other Personal Data may be processed outside the EEA only with adequate safeguards as described in Section VII.5. XII. Data Protection Officer SanoLabs GmbH has appointed a Data Protection Officer (DPO). You may contact the DPO with any questions or concerns regarding the processing of your Personal Data at: privacy@sanolabs.eu. XIII. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. Where changes are material, we will notify you via email or in-app notification before the changes take effect. The current version of this Privacy Policy is always available on our website and within the Sam App. XIV. Severability and Link to GTC This Privacy Policy is an integral part of the contractual framework with the User. If any provision of this Privacy Policy conflicts with mandatory law, the statutory rules shall prevail. The remainder of this Privacy Policy remains valid and enforceable. U.S. Addendum – Privacy Rights for U.S. Residents If you are a resident of the United States, including California, the following additional rights apply under state and federal privacy laws such as the California Consumer Privacy Act (CCPA/CPRA) and comparable state laws. 1. No Sale or Sharing of Personal Information SanoLabs GmbH does not sell your Personal Information and does not share it for cross-context behavioural advertising within the meaning of CCPA/CPRA. 2. Rights of U.S. Residents In addition to the rights set out in the GDPR section of this Policy, U.S. residents may exercise the following rights: • Right to Know: You may request information about the categories and specific pieces of Personal Information we collect and disclose. • Right to Delete: You may request the deletion of Personal Information we hold about you, subject to legal retention requirements. • Right to Correct: You may request correction of inaccurate Personal Information. • Right to Opt-Out of Sale/Sharing: You may request that we do not sell or share your Personal Information. • Right to Limit Use of Sensitive Personal Information: You may request that we limit use and disclosure of sensitive information (e.g., health data, biometric data) to what is necessary to provide the Services. • Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights. 3. Exercising Your U.S. Rights You may exercise these rights free of charge by contacting us at privacy@sanolabs.eu. We may need to verify your identity before processing your request. Authorised agents may submit requests on your behalf where permitted by law. 4. Response Times We will respond to requests within the timelines required by applicable U.S. law (generally 45 days, extendable by an additional 45 days if necessary). 5. Data Breach Notification In addition to our GDPR obligations, in the event of a data breach affecting U.S. residents, we will provide notifications in accordance with applicable federal and state data breach notification laws (e.g., California Civil Code § 1798.82).