Data protection

GDPR and IBS data — what every app must answer

Published 2026-04-23 · 9 min read · Medically reviewed 2026-04-23 · clearTime Medical Advisory

IBS data is special data. Bristol type, pain scale, stool frequency, and trigger notes fall under Art. 9 GDPR (health data) — a category with stricter rules than an address or date of birth. Anyone installing an IBS app is voluntarily uploading a particularly sensitive data category to third-party infrastructure. This article lays out the questions to ask before installation — and why most apps don't answer them cleanly.

DATENFLUSS EINER REIZDARM-APPJede App sendet Daten irgendwohin. Frage ist nur: wohin, verschlüsselt, mit oder ohne Tracker.Dein GerätEingabe(Bristol, Schmerz)App-ServerSpeicherung(wo genau?)EU-ServerDSGVO-konformUS-CloudDrittland-TransferDrei Fragen an jede App: wo liegt der Server, wer hat Zugriff, welche Tracker laufen mit?Antwort muss aus der Datenschutzerklärung ablesbar sein. Ist sie es nicht → Risiko.
Wer die drei Fragen beantworten kann, kennt 80 % des Datenschutz-Risikos einer Reizdarm-App.

Why IBS entries fall under Art. 9 GDPR

Art. 9(1) GDPR forbids processing of "special categories of personal data" — health data is explicitly listed. Art. 4(15) defines health data as data "which relate to the physical or mental health of a natural person". A Bristol-type-6 entry on a Tuesday evening qualifies; an IBS-SSS score of 280 does too; an entry "bloating 7/10 after onion" also counts.

Consequence: an IBS app may only process this data with a specific legal basis — in practice Art. 9(2)(a) (explicit consent) or, for medical devices, (h) (health care). "I accepted the ToS" is not enough. Consent must be explicit, informed, and revocable at any time. An app that doesn't clearly set out what happens with the data structurally violates GDPR.

Ten questions to ask every IBS app

The following ten questions can usually be answered in 5 minutes from a good privacy policy. If an app leaves more than three of them unanswered, that's a red flag.

  1. Who is the controller? Company name, legal form, seat, registry court, HRB number, VAT ID — required by Art. 13 GDPR.
  2. Where are the servers? EU, EEA, USA, worldwide? Which country specifically (not just "in the cloud")?
  3. Which processors are used? Hosting, database, analytics, push notifications, email delivery — each category with company, location, legal basis for third-country transfer.
  4. Which legal basis applies to which data? Art. 6 (general) vs. Art. 9 (health data) — must be listed separately.
  5. Which trackers / SDKs are running? Google Analytics, Facebook SDK, Firebase Crashlytics, Hotjar, Mixpanel, Braze, Adjust, AppsFlyer — especially common in mobile apps.
  6. Is data shared with third parties? Advertising, research partners, sale to data brokers — and if so, what consent is required.
  7. Is AI trained on your data? IBS entries are formally suitable for medical AI models. The app must disclose whether your data may be used for that.
  8. How long is data stored? Concrete periods, not "as long as necessary". What happens on account deletion and when.
  9. How can you exercise your rights? Art. 15–22 GDPR (access, rectification, erasure, restriction, portability, objection) — with a concrete email address or in-app self-service.
  10. Who is your supervisory authority? In Germany for private persons: the data-protection supervisor of your federal state; for federal bodies, the BfDI.

Five common privacy traps in health apps

EU hosting vs. US cloud: why it matters

GDPR-compliant third-country transfers to the USA have run since 2023 under the EU-US Data Privacy Framework (EU-US DPF) and, for non-DPF-certified providers, under Standard Contractual Clauses (SCC) per Art. 46 GDPR. Both are legally permitted but carry higher risk and effort — and Schrems II (CJEU 2020, Schrems III potentially around the corner) makes clear that US agency access under FISA 702 remains an unresolved problem.

For health data the practical conclusion: if you have a choice between an app with EU hosting (Germany, Ireland, Netherlands — e.g. Hetzner, IONOS, Scaleway, OVH, Supabase EU) and one with US hosting (AWS us-east-1, Google Cloud us-central1), the EU option is structurally the lower risk. Neither "we use SCC" nor "our data is encrypted" makes US hosting data-protection equivalent — encryption protects against the cloud provider, not against government requests.

Cookie banners and TTDSG §25 — when do you need one?

Since TTDSG § 25 (2022), consent is required for any non-technically-necessary information stored on the end device. Consequence for IBS apps:

An IBS app that runs completely without trackers or ads doesn't need a cookie banner — only a privacy notice naming the technically necessary cookies. Details in our privacy policy, which explicitly invokes § 25(2) no. 2.

How DarmKompass handles your data

Transparent clarification so you can measure us by the same questions:

This is not self-praise — it's the minimum that follows from the rules. Any app that can give similar answers is a valid choice. The article openly compares us with five others under IBS apps compared.

Sources

  1. [1] Layer P, Andresen V, Allescher H, et al. (2021). Update S3-Leitlinie Reizdarmsyndrom: Definition, Pathophysiologie, Diagnostik und Therapie. Z Gastroenterol (AWMF 021/016). PMID: 34891206 DOI: 10.1055/a-1591-4794

Editorially reviewed against DGVS S3 (AWMF 021/016) and peer-reviewed PubMed literature.

Frequent questions

Do I not need to worry about privacy with a German app?
Yes, you do. German jurisdiction is a prerequisite but not a guarantee. German apps can also use US cloud, trackers, or AI training. The 10 questions apply to every app — German, European, global.
Is the EU-US Data Privacy Framework secure enough?
Legally permissible but structurally riskier. FISA 702 still allows US agencies to access data in US cloud. For health data: if EU hosting is available, it's the smaller attack surface.
What if an app has no privacy policy?
Then it's probably not GDPR-compliant — don't install it. A missing or hidden privacy policy is a structural breach of Art. 12–14 GDPR and counts as a warning signal for supervisory authorities.
Can my health insurer see my DiGA app data?
Only billing data (prescription redemption, usage proof) — not therapy content. The DiGA specification strictly separates billing from health data. When in doubt: check the DiGA's privacy notice.
What do I do if I suspect an app is misusing my data?
File a complaint with your state's data-protection authority (BayLDA Ansbach in Bavaria, LDI Düsseldorf in NRW, LfDI Stuttgart in Baden-Württemberg, etc.). Free under Art. 77 GDPR. Beforehand: request a data export under Art. 15 GDPR so you know what the app has stored.
Do I need a cookie banner on my own website if I run an IBS community?
Only if you use analytics, advertising cookies, or marketing tools. Purely functional cookies (auth, language) are consent-free under TTDSG § 25(2) no. 2. For health communities a particularly lean tech setup is advisable.
How long should an app keep my deleted data?
After account deletion: 0 days for tracking data, up to 6 months for backup rollback (often technically unavoidable), possibly longer for statutory retention (invoices: 10 years under German HGB). Anything else is problematic.

Find your own pattern — not just read about it

darmkompass is the private IBS diary: 30-second entry, weekly pattern visible, doctor PDF on demand. No trackers, no ads.

Start for free →

Related reads