Data privacy policy App

Status: October 13, 2022

– Information according to Art. 13, 14, 21 General Data Protection Regulation (GDPR).

With the following data protection notices, we inform you about the nature, scope and purposes of the collection, use and other processing of personal data when using our mobile app “medidux™” (hereinafter “medidux™ app”).

1. Responsible party

The responsible party for the processing of your data when using the medidux™ app is:

mobile Health AG
Falkenstrasse 21
8008 Zurich
Switzerland
Tel: +41 43 243 76 22

E-mail: contact@mobilehealth.ch

Website: www.mobilehealth.ch

2. Data protection officer

You can reach the data protection officer of the responsible party at:

datenschutz@medidux.com

3. Download the medidux™ app

You can download the medidux™ app from the Google Play Store or the Apple App Store.

When downloading apps from the Google Play Store or the Apple App Store, the information required for this purpose is transferred to Google Ireland Limited or Apple Distribution International in Ireland, i.e. in particular user name, e-mail address and customer number of your Google or Apple account, time of download, payment information and the individual device identification number.

We have no influence on this data collection and are not responsible for it. For more information, please refer to the respective privacy notices of Google (https://policies.google.com/privacy) and Apple (https://www.apple.com/legal/privacy/de-ww/).

4. Personal data

Personal data is any information relating to an identified or identifiable natural person. When we process personal data, this means that we collect, store, transmit, delete or otherwise use this data.

When you use the medidux™ app, we request data from you that has nothing to do with your health or medical condition. When you register in the medidux™ app, we process information about you. This may include, for example:

  • First name
  • Last name
  • Username
  • Email address
  • Phone Number
  • Gender
  • Date of birth

The following data, which you can provide to us by using the medidux™ app, is so-called health data:

Information about vital parameters

  • Body weight
  • Glucose level for monitoring
  • Heart rate
  • Blood pressure
  • Body temperature
  • Oxygen saturation

Indication of medication

  • Chemotherapy medication
  • General medication
  • Indicate diagnostic radiologie exams
  • Other therapeutic measures taken
  • Indicate days of radiation treatment

Information on the overall status

  • Evaluations of cognitive tests
  • Structured, standardized meapping /recording of Symptoms
  • Structured, standardized recording of well-being
  • Mapping/Graphic display of the development of health status

Data on physician consultations, emergencies and hospitalizations

  • Information on unplanned physician consultation
  • data on the incidence of an emergency consultation
  • Information on the incidence of hospitalization
  • Indication of telephone consultations
  • Data on unscheduled consultations

The health data you enter is stored and processed in the app on your terminal device. The data entries/ recordings (your details) are transmitted to our server solely for you for the purpose of data backup. On this basis, you can also restore the medidux™ app after changing devices.

For the collection of health data, your consent is requested before this data is collected in the medidux™ app, as provided by law. Revocation of consent is possible at any time. Upon successful revocation, the personal account data and all data provided in the app as part of the treatment will be irrevocably deleted.

4.1 Processing of usage data of the medidux™ app.
When you use the medidux™ app, we process so-called usage data. For example, we log the connection of the medidux™ app to our servers. Among other things, your e-mail address (if you have logged in), date and time of access, duration of use, the functions called up, the amount of data transferred and the successful retrieval are stored in log files.

4.2 Use of the contents of the medidux™ app
When you use the contents of the medidux™ app, we additionally process the personal data you entered in the response to questions. This data is partly related to your physical and mental health (e.g. answering questions about your current mood and how you deal with it).

5. Processing purposes and legal basis

We process your data within DiGA for the following purposes:

  • For the intended use of the digital health application by the users (esp. med. determination) according to § 4 para. 2 p. 1 no. 1 DiGAV.
  • to the proof of positive care effects in the context of a trial according to § 139e paragraph 4 of the Fifth Book of the German Social Code § 4 para. 2 p. 1 no. 2 DiGAV
  • on the provision of evidence in the case of agreements pursuant to Section 134 (1) Sentence 3 of the Fifth Book of the German Social Security Code (with regard to certain (performance-based) settlements with health insurance funds) Section 4 (2) Sentence 1 No. 3 DiGAV

If you have given us your separate consent, we will also process data to permanently ensure the technical functionality, user-friendliness and further development of the DiGA (§ 4 para. 2 p. 1 no. 4 DiGAV).

If you are a self-payer or use a voucher code, selected data is processed to bill you for our services.

If legal retention periods exist, we store the data to meet our legal obligations.
In rare cases, data is stored for the defense of legal claims or fraud prevention.
In the following, we describe the purposes for which we process personal data with the medidux™ app and the legal basis on which we do so.

5.1 Registration in the medidux™ app.
When you register in the medidux™ app, we collect the above-mentioned and recorded data about you. Some of this information (e.g. name and email address) is mandatory for successful registration.
The processing is carried out for the implementation of pre-contractual measures, which take place at your request, in accordance with Art. 6 (1) (1) lit. b DSGVO. We process information that is not required for the execution of the contract on the basis of your consent pursuant to Art. 6 (1) (1) a DSGVO.

5.2 Processing of usage data in the medidux™ app
Usage data is logged for statistical purposes, for backup purposes, and for troubleshooting. The basis for the processing is a balancing of interests pursuant to Art. 6 (1) (1) (f) DSGVO, which always takes into account your legitimate interests.
For this purpose, your data is stored and processed on our servers. If you use the medidux™ app via different end devices, we synchronize your data between your end devices via our servers.
The basis for this processing is the fulfillment of our contractual obligation to you, and is carried out in accordance with Art. 6 (1) (1) (b) DSGVO and, if applicable, in accordance with your consent in accordance with Art. 6 (1) (1) (a) DSGVO.
We generally process your health data exclusively in accordance with Art. 9 (2) lit. a DSGVO if and insofar as we have received your consent to do so.

5.3 Contact and support
Our offer enables you to contact us. This is possible, for example, by using the telephone number provided or by sending us an e-mail. The information you provide when contacting us, such as name, address, e-mail address and telephone number, will be stored in order to process your request and any subsequent correspondence. The processing is carried out either for the fulfillment of a contract Art. 6 para. 1 lit. b GDPR or on the basis of a balancing of interests according to Art. 6 para. 1 lit. f GDPR, which always takes your interests into account.

5.4 Anonymization of personal data
We use collected data for other purposes (e.g. scientific evaluation, improvement of the medidux™ app and its stability) only after we have anonymized this data, i.e. when this data no longer allows identification of natural persons.

6. Recipients of personal data

We do not transfer your personal data to third parties without their consent, unless such transfer is permitted by law and necessary for the provision of our medidux™ app services.

When we use contract processing, such as hosting and other services, and transfer personal data to contractors for this purpose, we select them carefully, agree with them on data protection in contract processing agreements, and instruct and monitor them in accordance with applicable regulations.

To provide the service, we use the Open Telekom Cloud, in which your data is stored. The operator is T-Systems International GmbH (Hahnstraße 43d, 60528 Frankfurt am Main, Germany). Your data will be processed exclusively in Germany.

For the transmission of e-mails in the context of app use, we use the services of rapidmail (rapidmail GmbH, Wentzingerstraße 21 79106 Freiburg). Your data will be processed exclusively in Germany.

For the transmission of SMS in the context of medidux™ app in Switzerland use, we use the services of Sinch (Sinch AB (publ), Lindhagensgatan 74, 112 18 Stockholm, Sweeden). Your data will be processed exclusively in EU.

For the transmission of SMS in the context of medidux™ (DE) app in Germany use, we use the services of pitcom (pitcom GmbH, Bahnhofstraße 61 08523 Plauen). Your data will be processed exclusively in Germany.

7. Storage period and deletion

Personal data shall be kept for as long as necessary to fulfil the purpose(s) for which they were collected under the Regulation.

We store your data even after the original purpose for which it was collected has ceased to apply, only if we are obliged to store the data for other reasons, for example for archiving purposes (e.g. under commercial or tax law).
This results in the following deletion periods:

  • Health data (until revocation), at the latest when the provision of medidux™ ends.
  • Registration data (until deletion of the account – which is to be understood as revocation of consent in this case), alternatively at the latest with the termination of the provision of medidux™.
  • Your data on the device will only be present until the app is deleted from the device. Alternatively, local data will also be deleted upon successful login by means of other usage data or optional active logout in the device. By deleting data on the device, the data is still available on the medidux™ server for recovery.
8. Transfer of personal data to third countries

There is no transfer of personal data to third countries.

9. Data subject rights

If personal data of yours is processed, you are a data subject within the meaning of the GDPR and, in addition to the right to revoke the consent you have given to us, you have the following rights vis-à-vis the person responsible:

    • the right to information about your personal data stored by us (Art. 15 GDPR), in particular you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data if it has not been collected directly from you;
    • the right to have inaccurate data corrected or to have correct data completed (Art. 16 DSGVO),
    • the right to have your data stored by us deleted (Art. 17 GDPR), insofar as no legal or contractual retention periods or other legal obligations or rights to further storage are to be observed by us,
    • the right to restrict the processing of your data (Art. 18 GDPR), insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure; we no longer require the data, but you need it to assert, exercise or defend legal claims, or you have objected to the processing in accordance with Art. 21 GDPR,
    • the right to data portability pursuant to Art. 20 GDPR, i.e. the right to have selected data stored by us about you transferred in a common, machine-readable format, or to request that it be transferred to another controller.
    • the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.

9.1 Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless he/she can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

9.2 Right to revoke your declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9.3 Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant* of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

10. No obligation to provide your data

There is no obligation to provide us with your data. However, it is possible that we need your data to perform a contract, e.g. if you wish to purchase one or more products on our website.

If you do not provide us with the personal data required for this and requested by us, about which you will be informed in the context of this data protection declaration, we may not be able to enter into a contract with you or fulfill a contract already concluded.

If you also prevent us from receiving data that is required to use our website, e.g. through technical measures, it is possible that you will not be able to use our website or not be able to use it to its full extent.