Notes on data protection

4. Cooperation with service providers/third countries

To operate our services, we use technical service providers who provide us with storage space and processing capacity in their data centers (hosting) and who also process personal data on our behalf in accordance with our instructions; personal data is never processed by service providers for their own purposes. All service providers have been selected with the utmost care and have data centers certified according to ISO-27001.

We have concluded data processing agreements with all service providers in accordance with Art. 28 GDPR and have checked their technical and organizational measures to protect personal data. All service providers are subject to the provisions of the GDPR.

For the mobile application “Spastik-App”, it is ensured that the service providers used - as well as Bayerische TelemedAllianz GmbH itself - do not transfer any data to third countries. As part of the operation of the website www.spastik-app.de, some recipients may not be based in the European Economic Area. If this is the case, we will only transfer your data to countries approved by the European Commission with an adequate level of data protection or ensure an adequate level of data protection through a legal agreement.

The service providers we use are listed by name in the following sections.

5. Data processing when visiting the website (www.spastik-app.de)

5.1 Connection data

When you visit our website www.spastik-app.de, the following two types of data and information are collected depending on the use of the service provider mentioned below:

The first category includes non-identifying and non-identifiable user data provided or collected through use of the Website (“Non-Personal Data”). We do not know the identity of the user from whom Non-Personal Data was collected. The Non-Personal Data that may be collected includes aggregated usage data and technical data transmitted by your device, including certain information regarding software and hardware (e.g. browser and operating system used on the device, language preference, access time, etc.).

The second category includes personal data, i.e. data that identifies an individual or can be identified through reasonable measures. Such data includes in particular IP address and unique identifiers (e.g. MAC address and UUID) as well as other data resulting from your activity on the website.

To create the website, we use the modular system of the service provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Information on data protection at IONOS can be found at https://www.ionos.de/terms-gtc/terms-privacy.

We use the following service provider to host the website: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Information on data protection at IONOS can be found at https://www.ionos.de/terms-gtc/terms-privacy.

The purpose of processing connection data and temporarily storing it is to ensure the availability of our web server and the general accessibility and correct display of our website. The IP address and the technical data already mentioned are temporarily required to display the website, avoid display problems for visitors and resolve error messages.

The legal basis for data processing is the legitimate interest pursuant to Art. 6 (1) (f) GDPR, which was subjected to a comprehensive review in advance.

To protect your privacy, we delete or anonymize the IP address shortly after you visit our website. This means that the other technical data can no longer be traced back to you and is only used for anonymous, statistical purposes to optimize our website and troubleshoot errors.

5.2 Cookies

Our website sometimes uses so-called cookies. Cookies are small text files that are usually stored in a folder in your browser. Cookies contain information about the current or last visit to the website (name of the website, expiration date, any value).

We use the following two types of cookies on our website:

Required cookies (we need these, e.g. to display the website correctly for you and to temporarily save certain settings) Functional and performance-related cookies (these help us, e.g. to evaluate technical data about your visit and thus avoid error messages)

If cookies do not contain a precise expiration date, they are only temporarily stored and automatically deleted as soon as you close your browser or restart your device. Cookies with an expiration date remain stored even if you close your browser or restart your device. Such cookies are only removed on the specified date or when you delete them manually.

The cookie banner on the website provides you with an overview of the cookies used and allows you to deactivate them. You can also configure, block and delete the use of cookies in your browser settings.

The legal basis for data processing is the legitimate interest pursuant to Art. 6 (1) (f) GDPR, which was subjected to a comprehensive review in advance.

6. Using the Spasticity App

The use of the spasticity app is intended for patients after a stroke.

The reality of care for patients with spastic movement disorders after a stroke is very important. Guideline-compliant treatment of patients with spasticity should follow an interdisciplinary treatment approach. In addition to general medical treatment, this should also include occupational and physical therapists, neurologists and, if necessary, other specialist groups. Rehabilitation programs should be initiated as soon as possible after a stroke.

The use of the spasticity app is intended to help patients to pay attention to signs of potentially developing spasticity through regular self-observation (self-monitoring) and to arrange for early assessment by a doctor.

The app is based on the principle of a questionnaire based on the traffic light principle. This should be filled out at regular intervals (weekly). Depending on the test result of the questionnaire, the patient is advised to contact their family doctor, physiotherapist or neurologist.

For the technical infrastructure for operating (registration and use) the Spasticity app, we use servers from Telekom Deutschland GmbH, which are located in ISO-27001 certified data centers in Germany and thus offer a special level of protection. Further information on data protection can be found in the data protection policy of Telekom Deutschland GmbH at: https://open-telekom-cloud.com/de/datenschutz.

In addition, we have implemented internal security measures to protect your data. Together with our data protection officer, we regularly monitor the data protection and data security measures implemented.

6.1 Download the Spasticity App

The spasticity app can be downloaded to mobile devices via the Apple App Store or Google Play. This may involve the transfer of the data required for the download to the respective provider. We have no influence on this data collection and are not responsible for it. The data transfer takes place based on your express consent and is technically necessary in order to be able to download the app.

6.2 Registration and login

As a patient, you have the option of registering in the app and then logging in with your user account at any time (login). The following personal data is required for registration:

Personal Information:

SalutationFirst and last nameDate of birthEmail addressTelephone contact detailsAddress detailsPassword

Information about the stroke provided to the patient by the doctor:

Infarct sizeDegree of impairmentType of strokeElectronic patient record

In order to enable quick contact if necessary, patients can also store contact details (first name, last name, telephone number, e-mail address) of the treating family doctor, neurologist and physiotherapist.

The purpose of the requested data is to create a user account for using the Spasticity app. This is required in order to be able to use the Spasticity app within the framework of a user agreement.

The legal basis is the user agreement with Bayerische TelemedAllianz GmbH for the provision and use of the spasticity app, which you conclude with us by agreeing to the terms of use of the spasticity app (Art. 6 Para. 1 lit. b GDPR). If the data processed is health data, the legal basis is Art. 9 Para. 2 lit. a GDPR.

To protect your personal data, the data you enter here and when using the spasticity app is transmitted via an encrypted connection. Registration is based on the principle of data minimization, i.e. only data that is actually and absolutely necessary for using the app and its functions is recorded. After registration, you will receive an activation link to the email address you provided beforehand. You can only log in to the app after successful confirmation. If you do not confirm the activation link, your data will be automatically deleted after three months. After successful confirmation, your data will be stored until you terminate the user agreement by informal notification to Bayerische TelemedAllianz GmbH or until you request Bayerische TelemedAllianz GmbH to delete it. In addition, Bayerische TelemedAllianz GmbH will delete your account if it has been inactive for three months, i.e. if it has not been used by the patient or if users have not answered any questionnaires to be filled out in the spasticity app.

6.3 Sending emails to registered users

For the following purposes, emails required to create a user account and use the Spasticity app will be sent to the email address provided during registration:

Verification after registrationSending a link to reset your passwordWeekly reminder to regularly use the spasticity appRequest to participate in a scientific evaluation (see section 6.5)

We use the following service provider to send emails: Sendinblue GmbH, based at Köpenicker Straße 126, 10179 Berlin, Germany. Further information on the service provider's data protection can be found at https://de.sendinblue.com/legal/privacypolicy/

The purpose of the data processing is to create a user account and to enable the use of the Spasticity App within the framework of an individual account.

The legal basis is Art. 6 (1) lit. b GDPR, since the above-mentioned emails are necessary to fulfill the contract and provide the spasticity app.

To protect personal data, we adhere to the principle of data minimization and only use data that is absolutely necessary for data transmission. This is primarily the email that is required to create or restore an account. The service provider was selected based on a comprehensive review of its suitability to comply with data protection.

6.4 Using the Spasticity App

In order to be able to use the functions of the spasticity app, the data from your user account as well as the information provided when answering the questionnaire and the results of the questionnaire evaluations are processed on a server of our service provider Deutsche Telekom (see above). If the app is used to establish telephone contact with a family doctor, neurologist or physiotherapist whose contact details you have provided, the telephone function of your mobile device is used. Data is never transferred from the app to the service provider called.

questionnaire

While using the Spasticity App, the following personal data (including health data) is collected and stored in your personal user account:

Your information on the medical questions in the questionnaireDate and time of answering

In order to be able to track changes in health status over time, data is stored in the form of a history.

The purpose of the data processing described is to provide the spasticity app to support regular self-observation (self-monitoring) of a patient for signs of potentially developing spasticity, and to arrange for early clarification by a doctor. Furthermore, data is processed on all users of the spasticity app for the purpose of creating statistical, non-personal key figures on the use of the spasticity app.

The legal basis is the user agreement with Bayerische TelemedAllianz GmbH for the provision and use of the spasticity (Art. 6 Para. 1 lit. b GDPR). If the data processed is health data, the legal basis is Art. 9 Para. 2 lit. a GDPR. Consent can be revoked or data deleted at any time.

As a protective measure, the data you enter is collected and transmitted via an encrypted connection. The hosting service provider was selected based on a comprehensive review of its suitability to comply with data protection regulations. All data is stored and processed exclusively in the European Union. Your data will be stored until you decide to terminate the user contract or request deletion from Bayerische TelemedAllianz GmbH. In addition, Bayerische TelemedAllianz GmbH will delete your data if an account has been inactive for three months, i.e. if it has not been used by the patient or if no questionnaires to be filled out in the spasticity app have been answered by the user.

6.5 Voluntary participation in a scientific study

Registered users of the spasticity app are asked to voluntarily participate in a scientific evaluation study. For this purpose, messages are sent every four weeks to the email address provided during registration. The emails each contain a link that, when clicked, takes users to an online questionnaire developed and operated by Bayerische TelemedAllianz GmbH. The questionnaire is hosted on a server of our service provider Telekom, mentioned in section 6.

By answering the questions, data from the participating users of the spasticity app is recorded and automatically evaluated and stored by Bayerische TelemedAllianz GmbH for the purpose of scientifically researching the quality of the questionnaire and the traffic light principle used, as well as for the further development of the spasticity app and scientific research into the development of possible spasticity after a stroke. If a scientific question requires it, the data collected and processed when using the spasticity app can be linked to the information from the questionnaires.

Data may be sent to scientific research facilities or clinical institutes for further analysis. We ensure that this is done exclusively in an anonymized form. This means that no reference to the person using the spasticity app is possible.

Participation in the survey (filling out the online questionnaire) is voluntary. If the patient does not want to fill out the questionnaire, there are no disadvantages. The spasticity app can also be used without participating in the survey.

The legal basis is the user's separate consent in accordance with the European data protection requirements of Art. 6 (1) (a) GDPR. If the data processed is health data, the legal basis is Art. 9 (2) (a) GDPR. A revocation of the consent or a request for deletion of the data is possible at any time.

To protect your data, participation is voluntary and not required to use the spasticity app. If you participate, your data will be processed in a secure data center within the scope of the GDPR. The data processing and evaluation will be carried out by the responsible body exclusively for scientific purposes and to further develop the spasticity app. If relevant bodies are involved for the purpose of medical research, no personal data will be transmitted.

7. Further data processing

7.1. Contact form

The website www.spastik-app.de contains a contact form that you can use to get in touch with us. You can provide us with the following information:

NameEmail addressTelephone numberMessage

If you send us a message via the contact form, we use the provider Sendinblue GmbH, located at Köpenicker Straße 126, 10179 Berlin, Germany

The sole purpose of the requested data is to communicate with you, which is why the data is only used for this purpose. The legal basis is a legitimate interest that was checked to pursue the purpose and within the framework of the aforementioned protective measures and in accordance with the European data protection requirements of Art. 6 (1) (f) GDPR.

As a security measure, contact is made via an encrypted connection - just like visiting the rest of the website. We also apply the principle of data minimization and only record the data that is actually required in the contact form. After we have successfully contacted you, your data will be deleted once the reason for contact no longer applies.

7.2 Email communication

You can also send us an email. We use the following provider to receive and respond: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Information on data protection at IONOS can be found at https://www.ionos.de/terms-gtc/terms-privacy.

The sole purpose of data processing is to communicate with you, which is why the data will only be used for this purpose.

The legal basis is the so-called legitimate interest, which was examined in order to pursue the purpose and within the framework of the aforementioned protective measures as well as in accordance with the European data protection requirements of Art. 6 (1) (f) GDPR.

As a protective measure, we have chosen a service provider based in Germany and a data center certified according to ISO 27001. If the email communication with you is not subject to statutory retention periods, we will delete your data immediately as soon as there is no longer any purpose for storing it.

8. Doctors directory

We offer doctors who perform treatments with botulinum toxin the opportunity to register in one of our doctor's directories. You can send us the following information

E-mail addressPractice/Clinic namePractice/Clinic ownerPractice/Clinic addressPractice/Clinic phone numberPractice/Clinic website

After verifying your identity, we will publish this data in a doctor directory on our website www.spastik-app.de. This is publicly accessible and can be viewed by anyone interested.

Registration is voluntary. The legal basis is the user's consent in accordance with the European data protection requirements of Art. 6 Paragraph 1 Letter a of GDPR. A revocation of consent or deletion of the data or removal from the directory is possible at any time by doctors requesting the deletion of the data from Bayerische TelemedAllianz GmbH by email or post.

9. Duration of data storage

We delete personal data if the purpose for which it was collected and processed no longer applies or if you request this. The cancellation or request can be made informally to Bayerische TelemedAllianz GmbH (e.g. by email or telephone). In this case, Bayerische TelemedAllianz GmbH will delete the account and thus all stored data. Furthermore, Bayerische TelemedAllianz GmbH will delete an account if it has been inactive for three months, i.e. if it has not been used by the patient or if no questionnaires have been filled out.

To the extent that there is a documentation and retention obligation for legal or other reasons (e.g. according to the Tax Code, Commercial Code) and further storage is necessary, the data will be retained until the end of the mandatory retention period.

10. Use of script libraries (Google Web Fonts)

To ensure that our content is displayed correctly and graphically appealing in every browser, we use script and font libraries such as Google Web Fonts (https://www.google.com/webfonts) for the website www.spastik-app.de. Google Web Fonts are transferred to your browser's cache so that they only need to be loaded once. If your browser does not support Google Web Fonts or denies access, the content will be displayed in a standard font.

When you access script or font libraries, a connection is automatically established to the operator of the library. In theory, this operator has the opportunity to collect data. It is currently not known whether and for what purpose the operators of the relevant libraries actually collect data. You can find the privacy policy of the operator of the Google library here: https://www.google.com/policies/privacy

11. Your rights

According to the GDPR, you as a user of our above-mentioned services have the following rights:

Right of revocation according to Art. 7 Para. 3 GDPR: You have the right to revoke your consent to the processing of data at any time, in whole or in part, without stating reasons and with effect for the future. In the event of revocation, we will delete the data concerned immediately. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Right to information in accordance with Art. 15 GDPR: You have the right to obtain information about your personal data stored by us, its origin and recipient, and the purpose of data processing at any time and free of charge. If you have any questions that this data protection notice could not answer, you can contact us at any time at the following email address or using the contact details provided in the imprint: info@doccuraplus.de.

Right to rectification in accordance with Art. 16 GDPR: You have the right to request the immediate rectification of inaccurate personal data. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.

Right to erasure in accordance with Art. 17 GDPR: You have the right to request the erasure of your personal data if the requirements of Art. 17 Para. 1 GDPR are met. However, this right does not apply if the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.

Right to restriction of processing in accordance with Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is being verified, if you refuse to delete your data due to inadmissible data processing and instead request the restriction of the processing of your data, if you need your data to assert, exercise or defend legal claims after we no longer need this data after the purpose has been achieved, or if you have lodged an objection for reasons related to your particular situation, as long as it has not yet been determined whether our legitimate reasons outweigh.

Right to information in accordance with Art. 19 GDPR: If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the responsible party, this party is obliged to inform all recipients to whom the personal data concerning you was disclosed of said rectification, erasure or restriction of processing. Unless doing so should prove impossible or involve disproportionate expenditure. You have the right to be informed of these recipients.

Right to data portability in accordance with Art. 20 GDPR: You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transmitted to another controller, provided this is technically feasible.

Right to object in accordance with Art. 21 GDPR: You have the right to object at any time to the processing of personal data concerning you based on Article 6 paragraph 1 letters e or f, for reasons related to your particular situation. Bayerische TelemedAllianz GmbH will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

Right to complain in accordance with Art. 77 GDPR: Without prejudice to other legal remedies, you have the right to complain to a supervisory authority at any time if you believe that the processing of personal data by Bayerische TelemedAllianz GmbH violates the provisions of the GDPR. The supervisory authority responsible for Bayerische TelemedAllianz GmbH is: Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, https://www.lda.bayern.de

12. Minors

Protecting the data of children and young people is particularly important online. The “Spasticity App” service is not designed for children and is not aimed at them. Minors may only use our services with the prior consent or authorization of a parent or guardian. We do not knowingly collect personal data from minors. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she can contact us at.

13. Updates/Changes

We reserve the right to regularly review this privacy policy and to adapt it to current technical and legal changes. You will find the date of the current version at the end of this privacy policy under "Status". Your continued use of our services after such changes have been published constitutes your consent to such changes.

In the event of significant changes that may affect the rights of users, we will communicate the changes in advance in an appropriate manner and, where appropriate, point out existing options for objection.

Stand 27.04.2022: Version 1.0