HealthReact Privacy Policy
Effective: June 24, 2026
Last updated: June 24, 2026
This Privacy Policy explains how HealthReact processes personal data in connection with the HealthReact research platform, HealthReact mobile application, web portals, dashboards, connected wearable and sensor integrations, and related services.
HealthReact is a digital research platform used to support scientific, clinical, public health, behavioural, and health-related studies. Depending on the specific study, HealthReact may collect questionnaire data, passive smartphone data, wearable device data, health and fitness data, and other study-related information.
This Privacy Policy also explains how HealthReact accesses, uses, stores, and shares data obtained from Google APIs, including Google Health API, Fitbit-related data accessible through Google Health API, and other connected health and wearable services where applicable.
1. Provider information
HealthReact is provided by:
University of Hradec Kralove
Faculty of Science
Rokitanskeho 62
500 03 Hradec Kralove
Czech Republic
Company ID: 62690094
Contact e-mail: info [at] healthreact.eu
Data protection contact: gdpr [at] uhk.cz
If HealthReact is provided in a particular study by another organisation or in cooperation with another organisation, the study-specific information sheet, informed consent form, contract, or study documentation will identify the relevant controller, processor, study sponsor, research institution, and contact details.
2. Scope of this Privacy Policy
This Privacy Policy applies to:
- the HealthReact mobile application,
- HealthReact web portals and dashboards,
- study workspaces operated through HealthReact,
- integrations with connected wearable devices and services,
- integrations with Google Health API and Fitbit-related data sources,
- data processing necessary to provide, operate, secure, and support HealthReact.
Individual studies may have additional privacy notices, informed consent forms, participant information sheets, ethics approval documentation, or contractual terms. If such study-specific documents provide more specific information, they apply in addition to this Privacy Policy.
3. Role of HealthReact in data processing
HealthReact may process personal data in different roles depending on the specific study and contractual arrangement.
In many studies, the research institution, healthcare provider, university, study sponsor, or other organisation responsible for the study acts as the data controller. In such cases, HealthReact acts as a data processor and processes data on behalf of the controller and according to its instructions.
In some cases, the University of Hradec Kralove or another HealthReact-related entity may act as the controller or joint controller. The applicable role will be specified in the relevant study documentation, agreement, or participant information materials.
HealthReact does not determine the scientific purpose of each individual study unless explicitly stated in the study documentation.
4. Categories of data we may process
The exact categories of data depend on the specific study, enabled HealthReact modules, participant consent, connected devices, and selected integrations.
HealthReact may process the following categories of data:
4.1 Account, identification, and study enrolment data
This may include:
- internal participant identifier,
- study identifier,
- workspace identifier,
- pseudonymous user ID,
- study group or cohort assignment,
- enrolment status,
- device registration status,
- technical account identifiers,
- contact information where required by the study.
In many studies, HealthReact uses pseudonymous identifiers rather than directly identifying participant names.
4.2 Questionnaire and self-reported data
Depending on the study, HealthReact may collect:
- answers to questionnaires,
- ecological momentary assessment data,
- daily diary entries,
- symptom reports,
- mood, stress, pain, fatigue, sleep quality, or behavioural reports,
- lifestyle, nutrition, physical activity, or treatment adherence reports,
- timestamps of responses,
- compliance and completion data.
4.3 Passive smartphone and application data
Depending on the study and enabled permissions, HealthReact may process:
- app usage and interaction data,
- questionnaire completion events,
- notification delivery and response data,
- technical device information,
- operating system information,
- application version,
- error logs,
- connectivity information,
- sensor-derived information where enabled by the study and device settings.
If enabled by the specific study and authorised by the participant, HealthReact or related components may collect location data, including GPS-based data, for research purposes such as mobility analysis, context detection, time-location patterns, or study-specific behavioural analysis.
4.4 Wearable device, sensor, and health-related data
HealthReact may receive or process data from wearable devices, sensors, mobile applications, and connected health services, depending on the specific study and participant consent.
Such data may include:
- physical activity,
- steps,
- distance,
- energy expenditure,
- heart rate,
- heart rate variability,
- sleep duration,
- sleep stages or sleep-related metrics,
- resting heart rate,
- breathing-related metrics,
- movement and accelerometer-derived data,
- body measurements,
- device status,
- data availability and synchronization status,
- other health, fitness, behavioural, or physiological metrics required by the study.
The exact data types depend on the connected device, service provider, API availability, participant consent, and study protocol.
4.5 Data from Google Health API, Fitbit, and connected Google services
If a participant chooses to connect Google Health API, Fitbit-related data, or another Google-based health integration, HealthReact may access health and fitness data from Google APIs only after the participant has granted permission through Google OAuth.
Depending on the scopes requested and approved by the participant, HealthReact may access data such as:
- activity and fitness data,
- steps,
- distance,
- calories or energy expenditure,
- exercise or activity sessions,
- heart rate,
- heart rate variability or related physiological metrics where available,
- sleep data,
- body measurements,
- health and fitness metrics available through Google Health API,
- device or data source metadata,
- identifiers necessary to associate the Google or Fitbit connection with the correct HealthReact participant account.
HealthReact requests only the Google API scopes that are necessary for the specific study or service functionality. The participant may be asked to approve different permissions depending on the study requirements.
HealthReact does not access Google Health API or Fitbit-related data unless the participant has explicitly authorised access through Google OAuth.
4.6 OAuth, authentication, and connection data
When a participant connects Google Health API, Fitbit-related data, or another external service, HealthReact may process technical authentication data necessary to maintain the connection, including:
- OAuth authorization codes,
- access tokens,
- refresh tokens,
- granted scopes,
- token status,
- token expiry information,
- connection timestamps,
- synchronization timestamps,
- Google user identifier,
- Fitbit or legacy Fitbit user identifier where applicable,
- audit logs related to authorization, synchronization, and revocation.
OAuth tokens are used only to access the data authorised by the participant and only for the purposes described in this Privacy Policy and the relevant study documentation.
4.7 Technical, security, and audit data
HealthReact may process technical and security data, including:
- IP address,
- browser or device information,
- server logs,
- authentication logs,
- access logs,
- error logs,
- security event logs,
- API request metadata,
- system monitoring data.
This data is used to operate, secure, debug, maintain, and improve the reliability of HealthReact.
5. How data is collected
HealthReact may collect data:
- directly from participants through the HealthReact application or web interface,
- from questionnaires and study tasks completed by participants,
- from smartphones and mobile sensors where enabled,
- from wearable devices and connected services,
- from Google APIs after participant OAuth consent,
- from Fitbit-related data sources accessible through Google Health API,
- from research staff, clinicians, or study administrators,
- automatically through system logs and technical infrastructure.
Data collection depends on the study configuration, participant consent, device permissions, and connected services.
6. Purposes of processing
HealthReact processes personal data for the following purposes, depending on the specific study and enabled functionality:
6.1 Operation of the HealthReact platform
This includes:
- creating and maintaining study workspaces,
- registering participants,
- delivering questionnaires and study tasks,
- sending study notifications and reminders,
- managing device and wearable connections,
- synchronizing data,
- providing dashboards and reports to authorised study staff,
- monitoring study compliance and data completeness.
6.2 Scientific and clinical research
HealthReact may process data for research purposes, including:
- analysis of physical activity,
- analysis of sleep and sleep regularity,
- analysis of heart rate and physiological patterns,
- behavioural and lifestyle research,
- digital phenotyping,
- ecological momentary assessment,
- intervention studies,
- longitudinal monitoring,
- evaluation of health-related outcomes,
- development and validation of algorithms,
- study-specific statistical analysis.
The specific research purpose is defined in the relevant study protocol, participant information sheet, informed consent form, or other study documentation.
6.3 Personalised study interventions and feedback
Where enabled by the study, HealthReact may use collected data to:
- trigger questionnaires,
- send reminders,
- deliver study-specific interventions,
- provide personalised feedback,
- support just-in-time adaptive interventions,
- detect relevant patterns or events defined by the study protocol.
6.4 Security, reliability, and support
HealthReact processes technical data to:
- maintain platform security,
- detect and prevent misuse,
- troubleshoot errors,
- ensure correct synchronization,
- provide technical support,
- verify system performance,
- maintain audit trails.
6.5 Legal, contractual, and compliance purposes
HealthReact may process data to:
- comply with applicable legal obligations,
- document participant consent and permissions,
- comply with contractual obligations,
- respond to lawful requests,
- support audits,
- demonstrate compliance with data protection, research, and information security requirements.
7. Legal bases for processing
The legal basis for processing personal data depends on the specific study, jurisdiction, controller, and applicable documentation.
Under the General Data Protection Regulation, the legal basis may include:
- consent of the participant,
- performance of a task carried out in the public interest,
- legitimate interests of the controller or processor,
- performance of a contract,
- compliance with legal obligations,
- scientific research purposes subject to appropriate safeguards,
- explicit consent for processing special categories of personal data,
- processing necessary for scientific research in accordance with applicable law.
The specific legal basis for each study should be stated in the study-specific participant information sheet, informed consent form, ethics documentation, or controller privacy notice.
Where Google Health API, Fitbit-related data, or other connected health service data is accessed, HealthReact accesses such data only after the participant has granted permission through the applicable authorization process.
8. Use of Google API data and Limited Use compliance
HealthReact's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
HealthReact uses Google API data only to provide or improve user-facing and study-related HealthReact functionality, including authorised data synchronization, research data collection, study monitoring, dashboards, reports, analysis, and study-specific interventions.
HealthReact does not use Google API data for advertising.
HealthReact does not sell Google API data.
HealthReact does not use Google API data for marketing profiling.
HealthReact does not transfer Google API data to advertising platforms, data brokers, or information resellers.
HealthReact does not use Google API data to determine creditworthiness, insurance eligibility, employment eligibility, or similar decisions.
HealthReact does not allow humans to read Google API data unless one of the following applies:
- the participant or study controller has authorised such access,
- access is necessary for security, abuse investigation, support, or debugging,
- access is necessary to comply with applicable law,
- access is necessary for authorised research staff, clinicians, or study administrators to perform the study functions described in the relevant study documentation.
Any access by authorised personnel is limited according to role, study, workspace, and need-to-know principles.
9. Data sharing and recipients
HealthReact may share or make data available only where necessary and in accordance with the applicable study documentation, contracts, participant consent, and legal requirements.
Recipients may include:
- the research institution responsible for the study,
- authorised study investigators,
- authorised clinicians or healthcare professionals involved in the study,
- authorised study administrators,
- data processors and technical service providers,
- cloud hosting providers,
- IT operations and support providers,
- analytics or export tools used by the study,
- ethics, regulatory, or auditing bodies where required,
- public authorities where legally required.
HealthReact does not sell personal data.
HealthReact does not sell Google API data or Fitbit-related data.
HealthReact does not share Google API data with advertisers or marketing platforms.
HealthReact does not share identifiable participant data between separate study workspaces unless this is explicitly authorised by the relevant controller and permitted by the applicable study documentation.
10. Study workspace separation
HealthReact is used in multiple studies. Studies may be operated on separate servers or within separate HealthReact workspaces on shared infrastructure.
HealthReact applies technical and organisational measures to separate studies and workspaces. Users authorised for one study or workspace do not automatically have access to data from another study or workspace.
Data is associated with internal identifiers such as:
- participant ID,
- workspace ID,
- study ID,
- tenant ID,
- device connection ID.
This separation is used to ensure that data collected for one study is not accessible to unauthorised users from another study.
11. Storage and security of data
HealthReact applies technical and organisational security measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.
These measures may include:
- encrypted communication using HTTPS/TLS,
- access control,
- role-based permissions,
- authentication and authorization mechanisms,
- pseudonymisation where appropriate,
- separation of study workspaces,
- secure handling of OAuth tokens,
- logging and audit trails,
- server monitoring,
- backup and recovery procedures,
- restricted administrative access,
- staff confidentiality obligations,
- security review and maintenance procedures.
OAuth access tokens and refresh tokens are stored securely and used only to maintain authorised data access. Access to such tokens is restricted to systems and personnel that require access for platform operation, security, support, or compliance purposes.
No method of transmission or storage is completely secure. HealthReact continuously works to maintain appropriate safeguards according to the nature of the data and the risks involved.
12. Data retention
Personal data is retained only for as long as necessary for the purposes described in this Privacy Policy, the relevant study documentation, contractual requirements, legal obligations, research integrity requirements, or applicable retention policies.
Retention periods may differ between studies.
In general:
- study data is retained according to the study protocol, contract, ethics approval, or legal requirements,
- technical logs are retained for a limited period necessary for security, debugging, and audit purposes,
- OAuth tokens are retained while the participant's external service connection remains active or while needed for the study,
- data may be deleted, anonymised, or archived after the relevant retention period.
If a participant disconnects Google Health API, Fitbit, or another external service, HealthReact will stop collecting new data from that connection. Previously collected data may be retained if required or permitted by the study protocol, legal basis, research integrity requirements, or controller instructions.
13. Participant choices and control
Depending on the study and application configuration, participants may have the ability to:
- refuse participation in a study,
- withdraw from a study,
- skip optional questionnaires,
- disable certain mobile permissions,
- disconnect a wearable device or external service,
- revoke Google OAuth access,
- request access to their data,
- request correction of inaccurate data,
- request deletion where legally applicable,
- object to processing where legally applicable,
- request restriction of processing where legally applicable,
- contact the study team or data controller with privacy questions.
Participants can revoke Google API access through their Google Account settings for connected third-party applications. If Google Health API or Fitbit-related access is revoked, HealthReact will no longer be able to retrieve new data from that Google connection.
Revoking Google API access does not automatically delete data that has already been collected and stored in HealthReact. Deletion or further retention of previously collected data depends on the applicable study documentation, legal basis, controller instructions, and legal requirements.
14. International transfers
HealthReact primarily aims to process and store data within the European Union or European Economic Area where applicable.
If data is transferred outside the European Union or European Economic Area, such transfer will be carried out in accordance with applicable data protection laws and appropriate safeguards, such as adequacy decisions, standard contractual clauses, contractual safeguards, or other legally recognised mechanisms.
The specific hosting location and transfer arrangements may depend on the study, controller, infrastructure, and contractual setup.
15. Children and minors
HealthReact may be used in studies involving children or minors only where the relevant study has appropriate ethical, legal, parental, guardian, institutional, or participant consent arrangements in place.
The specific rules for participation of minors are defined by the relevant study documentation, ethics approval, and applicable law.
HealthReact does not knowingly collect data from children outside a valid study, legal, or consent framework.
16. Automated processing and profiling
HealthReact may perform automated data processing to support study functionality, such as:
- detecting missing data,
- calculating compliance,
- generating dashboards,
- deriving digital biomarkers or study variables,
- triggering questionnaires,
- sending reminders,
- supporting study-specific interventions.
The specific automated processing depends on the study configuration.
HealthReact does not use Google API data or Fitbit-related data for advertising profiling, marketing profiling, credit scoring, insurance eligibility, employment eligibility, or similar decisions.
If a study uses automated processing that may significantly affect participants, this will be described in the relevant study documentation.
17. Data accuracy and limitations
HealthReact may process data received from third-party devices, applications, and APIs. Such data may depend on:
- device accuracy,
- sensor availability,
- participant behaviour,
- synchronization frequency,
- manufacturer algorithms,
- API availability,
- permissions granted by the participant,
- network connectivity,
- device battery status.
HealthReact does not guarantee that data from third-party devices or services is complete, continuous, clinically accurate, or suitable for diagnosis unless explicitly stated in the relevant study documentation.
HealthReact is generally intended for research and monitoring purposes, not as a standalone medical diagnostic tool, unless a specific certified medical device or regulated use case is explicitly documented.
18. Third-party services
HealthReact may integrate with third-party services, devices, or APIs. These services may have their own privacy policies, terms of service, and account settings.
Such services may include, depending on the study:
- Google Health API,
- Fitbit-related data sources,
- Garmin-related services or SDK-based integrations,
- continuous glucose monitoring services,
- smart scales,
- environmental sensors,
- mobile operating system services,
- other wearable, sensor, or health data providers.
Participants should review the privacy policies of any third-party services they connect to HealthReact.
HealthReact is responsible for the processing it performs after receiving data from third-party services. The third-party provider remains responsible for its own processing according to its own policies and terms.
19. Withdrawal of consent and study withdrawal
Participants may be able to withdraw consent or withdraw from a study, depending on the study design and applicable legal basis.
Withdrawal may affect future data collection, access to HealthReact, or continued participation in the study.
Withdrawal does not necessarily affect processing that occurred before withdrawal if such processing was lawful at the time. Previously collected data may continue to be processed where permitted by applicable law, study documentation, research integrity requirements, or controller instructions.
Participants should contact the relevant study team or controller for study-specific withdrawal procedures.
20. Rights of data subjects
Under applicable data protection laws, including the GDPR where applicable, participants may have rights such as:
- the right of access,
- the right to rectification,
- the right to erasure,
- the right to restriction of processing,
- the right to object,
- the right to data portability,
- the right to withdraw consent where processing is based on consent,
- the right to lodge a complaint with a supervisory authority.
The availability and scope of these rights may depend on the legal basis, study context, applicable law, and whether HealthReact acts as controller or processor.
If HealthReact acts as a processor, requests may need to be handled by the relevant study controller.
21. Supervisory authority
Participants in the Czech Republic may contact the Czech data protection supervisory authority:
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Czech Republic
Website: https://www.uoou.cz
Participants may also have the right to contact another competent supervisory authority depending on their country of residence, place of work, or place of the alleged infringement.
22. Changes to this Privacy Policy
HealthReact may update this Privacy Policy from time to time to reflect changes in the platform, legal requirements, Google API requirements, study practices, or technical integrations.
The latest version will be published on the HealthReact website. If changes are material, HealthReact or the relevant study controller may provide additional notice where required.
23. Contact
For privacy-related questions about HealthReact, please contact:
HealthReact Privacy Contact
E-mail: info [at] healthreact.eu
For questions about a specific study, participants should contact the study team or controller identified in the study documentation.
