Notes on data protection

4. Cooperation with service providers/third countries

For the operation of our service offerings, we use technical service providers who provide us with storage space and processing capacities in their data centers (hosting) and who also process personal data on our behalf according to our instructions; processing of personal data by service providers for their own purposes does not take place at any time. All service providers have been selected with the greatest care and have ISO-27001 certified data centers.

We have concluded order processing contracts with all service providers in accordance with Art. 28 GDPR and checked their technical and organizational measures to protect personal data. All service providers are subject to the provisions of the GDPR.

For the mobile application "Spastik-App" it is ensured that the service providers used - as well as the Bayerische TelemedAllianz GmbH itself - do not transfer data to third countries. As part of the operation of the website www.spastik-app.de, some recipients may not be based in the European Economic Area. If this is the case, we will only transfer your data to countries approved by the European Commission with an appropriate level of data protection or ensure an appropriate level of data protection through a legal agreement.

The service providers we use are listed by name in the following sections.

5. Data processing when visiting the website (www.spastik-app.de)

5.1 Connection Data

When you visit our website www.spastik-app.de, the following two types of data and information are recorded depending on the use of the service provider mentioned below:

The first category includes non-identifying and non-identifiable user information provided or collected through use of the Website (“Non-Personal Information”). We do not know the identity of the user from whom non-personal information was collected. The Non-Personal Information that may be collected includes Aggregated Usage Data and Technical Data transmitted by your device, including certain software and hardware information (e.g. browser and operating system used on the device, language preference, access time, etc .).

The second category includes personal data, which is data that identifies an individual or can be identified through reasonable measures. Such data includes in particular IP address and unique identifiers (e.g. MAC address and UUID) and other data resulting from your activity on the website.

To create the website, we use the modular system of the service provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Information on data protection at IONOS can be found at https://www.ionos.de/terms-gtc/terms-privacy.

We use the following service provider to host the website: we IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Information on data protection at IONOS can be found at https://www.ionos.de/terms-gtc/terms-privacy.

The purpose of processing connection data and storing it temporarily is to ensure the readiness of our web server and the general availability and correct display of our website. The IP address and the technical data already mentioned are temporarily required in order to display the website, to avoid display problems for visitors and to correct error messages.

The legal basis for data processing is the legitimate interest pursuant to Art. 6 Para. 1 lit. f GDPR, which was subjected to a comprehensive review in advance.

To protect your privacy, we delete or anonymize the IP address shortly after you visit our website. This means that the other, technical data can no longer be traced back to you and are only used for anonymous, statistical purposes to optimize our website and troubleshoot errors.

5.2 Cookies

Our website partially uses so-called cookies. Cookies are small text files that are usually stored in a folder in your browser. Cookies contain information about the current or last visit to the website (name of the website, expiry date, any value).

We use the following two types of cookies on our website:

• Necessary cookies (we need these, e.g. to display the website correctly for you and to save certain settings temporarily)
• Functional and performance-related cookies (these help us, e.g. to evaluate technical data of your visit and thus avoid error messages)

If cookies do not contain an exact expiry date, they are only temporarily stored and automatically deleted as soon as you close your browser or restart the end device. Cookies with an expiry date remain stored even if you close your browser or restart the end device. Such cookies will only be removed on the specified date or if you delete them manually.

The cookie banner on the website gives you an overview of the cookies used and you can deactivate them. You can also configure, block and delete the use of cookies in your browser settings.

The legal basis for data processing is the legitimate interest pursuant to Art. 6 Para. 1 lit. f GDPR, which was subjected to a comprehensive review in advance.

6. Use of the spastic-app

The use of the spastic-app is intended for patients after a stroke.

The reality of care of patients with spastic movement disorders after a stroke is very important. A guideline-based treatment of patients with spasticity should follow an interdisciplinary treatment approach. In addition to general medical treatment, this should also supplement ergotherapists and physiotherapists, neurologists and, if necessary, other specialist groups. Rehabilitation programs should be initiated as soon as possible after a stroke.

The use of the spastic-app is intended to help patients to look out for signs of spasms that may be developing as part of regular self-monitoring and to arrange for clarification by a doctor at an early stage.

The app is based on the principle of a questionnaire using the traffic light principle. This should be completed at regular intervals (weekly). Depending on the test result of the questionnaire, the patient is advised to contact their family doctor, physiotherapist or neurologist.

For the technical infrastructure for operating (registration and use) the spastic-app, we use servers from Telekom Deutschland GmbH, which are located in ISO-27001-certified data centers in Germany and thus offer a special level of protection. Further information on data protection can be found in the data protection guidelines of Telekom Deutschland GmbH at: https://open-telekom-cloud.com/de/datenschutz.

In addition, we have implemented internal security measures to protect your data. Together with our data protection officer, we regularly check the measures used for data protection and data security.

6.1 Download the spastic-app

The spastic-app can be downloaded to mobile devices from the Apple App Store or Google Play. This can lead to the transmission of the data required for the download to the respective provider. We have no influence on this data collection and are not responsible for it. The data is transmitted on the basis of your express consent and is technically necessary in order to be able to download the app.

6.2 Registration and Login

As a patient, you have the option of registering in the app and then logging in with your user account at any time (login). The following personal data is required for registration:

Personal Information:

• Salutation
• First and last name
• Date of birth
• E-mail address
• Telephone contact details
• Address data
• Password

Information about the stroke provided to the patient by the doctor:

• Infarction size
• Degree of impairment
• Type of stroke
• Electronic patient record

In order to enable quick contact if necessary, patients can also store contact details (first name, last name, telephone number, e-mail address) of the attending family doctor, neurologist and physiotherapist.

The purpose of the requested data is to create a user account for using the spastic-app. This is required in order to be able to use the spastic-app as part of a user agreement.

The legal basis is the contract of use with Bayerische TelemedAllianz GmbH for the provision and use of the spastic-app, which you conclude with us by agreeing to the terms of use of the spastic-app (Art. 6 Para. 1 lit. b GDPR). If the processed data is health data, the legal basis is Article 9 (2) (a) GDPR.

To protect personal data, the data you enter is transmitted here and also when using the spastic-app via an encrypted connection. Registration is based on the principle of data minimization, ie only data that is actually and absolutely necessary for using the app and its functions is recorded. After registering, you will receive an activation link to the email address you provided previously. Only after successful confirmation can you log in with the app. If you do not confirm the activation link, your data will be automatically deleted after three months. After successful confirmation, your data will be stored until you terminate the user contract by sending an informal message to Bayerische TelemedAllianz GmbH or request Bayerische TelemedAllianz GmbH to delete it. In addition, Bayerische TelemedAllianz GmbH will delete the account if it has been inactive for three months, ie if it has not been used by the patient or if no questionnaires to be filled out in the spastic-app have been answered by the user.

6.3 Sending Emails to Registered Users

For the following purposes, e-mails required to create a user account and to use the spastic-app are sent to the e-mail address specified during registration:

• Verification after registration
• Send a link to reset your password
• Weekly reminder to remind you to use the spastic-app regularly
• Please participate in a scientific evaluation (see Section 6.5)

We use the following service provider to send emails: Sendinblue GmbH, based at Köpenicker Straße 126, 10179 Berlin, Germany. You can find more information about the data protection of the service provider at https://de.sendinblue.com/legal/privacypolicy/

The purpose of the data processing is to create a user account and to be able to use the spastic-app as part of an individual account.

The legal basis is Art. 6 Paragraph 1 lit. b GDPR, since the above-mentioned e-mails are required to fulfill the contract and provide the spastic-app.

To protect personal data, we adhere to the principle of data minimization and use only mandatory data for data transmission. This is primarily the e-mail that is required for account creation or recovery. The service provider was selected on the basis of a comprehensive examination of its suitability for compliance with data protection.

6.4 Use of the spastic-app

In order to be able to use the functions of the spastic-app, the data of your user account and the information provided when answering the questionnaire as well as the results of the questionnaire evaluations are processed on a server of our service provider Deutsche Telekom (see above). Insofar as a telephone contact is made via the app a family doctor, neurologist or physiotherapist whose contact details you have provided is to be established, the telephone function of your mobile device is used. A data transfer from the app to the called service provider does not take place at any time.

Questionnaire

While using the spastic-app, the following personal data (including health data) is recorded and stored in your personal user account:

• Your information on the medical questions of the questionnaire,
• day and time of answering

In order to be able to understand changes in the state of health over time, the data is stored in the form of a history.

The purpose of the data processing described is to provide the spastic-app to support regular self-observation (self-monitoring) of a patient for signs of spasms that may be developing and to arrange for a doctor to carry out clarifications at an early stage. Furthermore, data is processed for all users of the spastic-app for the purpose of creating statistical, non-personal key figures for the use of the spastic-app.

The legal basis is the user contract with Bayerische TelemedAllianz GmbH for the provision and use of the spasm (Art. 6 Para. 1 lit. b DSGVO). If the processed data is health data, the legal basis is Article 9 (2) (a) GDPR. You can revoke your consent or delete the data at any time.

As a protective measure, the data you enter is collected and transmitted via an encrypted connection. The hosting service provider was selected on the basis of a comprehensive examination of its suitability for compliance with data protection. All data is stored and processed exclusively in the European Union. Your data will be stored until you decide to terminate the user contract or request deletion from Bayerische TelemedAllianz GmbH. In addition, Bayerische TelemedAllianz GmbH will delete the account if it has been inactive for three months, ie if it has not been used by the patient or if no questionnaires to be filled out in the spastic-app have been answered by the user.

6.5 Voluntary participation in a scientific study

Registered users of the spastic-app are asked to voluntarily take part in a scientific evaluation study. For this purpose, messages are sent every four weeks to the e-mail address specified during registration. Each e-mail contains a link which, after clicking, takes the user to an online questionnaire developed and operated by Bayerische TelemedAllianz GmbH. The questionnaire is hosted on a server of our service provider Telekom mentioned in Section 6.

By answering the questions, data of the participating users of the spastic-app is recorded and automated by Bayerische TelemedAllianz GmbH for the purpose of scientific research into the quality of the questionnaire and the traffic light principle used, as well as for the further development of the spastic-app and scientific research into the origin possible spasms after a stroke are evaluated and saved. If a scientific question requires it, the data collected and processed when using the spastic-app can be linked to the information from the questionnaires.

Data can be transmitted to scientific research facilities or clinical institutes for the implementation of more detailed analyses. This ensures that this is done in an anonymous form only. This means that no reference to the person of the user of the spastic-app is possible.

Participation in the survey (filling out the online questionnaire) is voluntary. If the patient does not want to fill out the questionnaire, there are no disadvantages. The spastic-app can also be used without taking part in the survey.

The legal basis is the separate consent of the user in accordance with the European data protection requirements from Article 6 Paragraph 1 Letter a GDPR. If the processed data is health data, the legal basis is Article 9 (2) (a) GDPR. A revocation of the consent or a request for the deletion of the data is possible at any time.

To protect data, participation is voluntary and not required to use the spastic-app. If you participate, the data will be processed in a secure data center within the scope of the GDPR. The data processing and evaluations are carried out by the responsible body exclusively for scientific purposes and for the further development of the spasm app. If relevant bodies are involved for the purpose of medical research, no personal data will be transmitted.

7. Further data processing

7.1. contact form

The website www.spastik-app.de contains a contact form that you can use to contact us. You can provide us with the following data:

• Name
• E-Mail address
• Phone number
• Message
• 
  

If you send us a message using the contact form, we use the provider Sendinblue GmbH, based at Köpenicker Straße 126, 10179 Berlin, Germany

The purpose of the requested data is exclusively to communicate with you, which is why the data is only used for this. The legal basis is a legitimate interest that has been checked to pursue the purpose and within the framework of the aforementioned protective measures and in accordance with the European data protection requirements from Article 6 (1) (f) GDPR.

As a protective measure, contact is made - just like visiting the rest of the website - via an encrypted connection. We also apply the principle of data minimization and only collect the data that is actually required in the contact form. After successfully contacting you, your data will be deleted after the reason for contact no longer applies.

7.2 Email Communications

You can also email us. We use the following providers to receive and reply: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Information on data protection at IONOS can be found at https://www.ionos.de/terms-gtc/terms-privacy.

The purpose of data processing is exclusively to communicate with you, which is why the data is only used for this.

The legal basis is the so-called legitimate interest, which was checked to pursue the purpose and within the framework of the aforementioned protective measures and in accordance with the European data protection requirements from Article 6 (1) (f) GDPR.

As a protective measure, we have chosen a service provider based in Germany and a data center certified according to ISO 27001. If the E-Mail communication with you is not subject to any statutory retention periods, we will delete your data immediately as soon as there is no longer any storage purpose for it.

8. Physician Directory

We offer doctors who carry out treatments with botulinum toxin the opportunity to register in one of our doctors' directory. You can send us the following information for this purpose

• E-Mail address
• Practice/clinic Name
• Practice/clinic Owner
• Practice/clinic Address
• Practice/clinic Telephone number
• Practice/clinic Website

After checking the identity, we will publish this data on our website www.spastik-app.de in a doctor's directory. This is publicly accessible and can be viewed by all interested parties.

Registration is voluntary. The legal basis is the user's consent in accordance with the European data protection requirements from Article 6 (1) (a) GDPR. Withdrawal of consent or deletion of the data or removal from the directory is possible at any time by physicians requesting the deletion of the data from Bayerische TelemedAllianz GmbH by e-mail or post.

9. Duration of Data Retention

Personal data will be deleted by us if the purpose for collecting and processing them no longer applies or no longer exists, or if you request this. The termination or request can be made informally to the Bayerische TelemedAllianz GmbH (e.g. by e-mail or telephone). In this case, Bayerische TelemedAllianz GmbH will arrange for the account and thus all stored data to be deleted. In addition, Bayerische TelemedAllianz GmbH will delete the account if it has been inactive for three months, ie if it has not been used by the patient or if no questionnaires have been completed.

If there is a documentation and storage obligation for legal or other reasons (e.g. according to the tax code, commercial code) and further storage is required, the data will be stored until the end of the mandatory storage period.

10. Use of script libraries (Google Web Fonts)

To ensure that our content is displayed correctly and graphically appealing in every browser, we use script and font libraries such as Google Web Fonts ( https://www.google.com/webfonts ) for the website www.spastik-app.de. Google Web Fonts are transferred to your browser's cache, so they only need to be loaded once. If your browser does not support Google Web Fonts or denies access, the content will be displayed in a standard font.

• When calling up script or font libraries, a connection to the operator of the library is automatically established. It is theoretically possible for this operator to collect data. It is currently not known whether and for what purpose the operators of the relevant libraries actually collect data.
• You can find the data protection provisions of the operator of the Google library here: https://www.google.com/policies/privacy

11. Your Rights

According to the GDPR, you as a user of our above-mentioned service offers have the following rights:

Right of revocation according to Art. 7 Para. 3 DSGVO: You have the right to revoke your consent to the processing of data at any time, in whole or in part, without stating reasons with effect for the future. In the event of revocation, we will delete the data concerned immediately. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.

Right to information according to Art. 15 GDPR: You have the right to free information about your personal data stored by us, its origin and recipient and the purpose of data processing at any time. If you have questions about this that this data protection notice could not answer, you can contact us at any time at the following e-mail address or via the contact details given in the imprint: info@doccuraplus.de.

Right to rectification in accordance with Art. 16 GDPR: You have the right to request the rectification of the incorrect personal data concerned immediately. You have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

Right to deletion according to Art. 17 GDPR: You have the right to request the deletion of your personal data if the requirements of Art. 17 Para. 1 GDPR are met. However, this right does not exist in particular if the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.

Right to restriction of processing in accordance with Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you contest, is checked, if you refuse to delete your data because of inadmissible data processing and instead Request restriction of the processing of your data if you need your data to assert, exercise or defend legal claims after we no longer need this data after the purpose has been achieved or if you have lodged an objection for reasons of your particular situation, as long as it is not yet clear whether our legitimate reasons prevail.

Right to information in accordance with Art. 19 GDPR: If you have asserted the right to correction, deletion or restriction of processing against the person responsible, he is obliged to inform all recipients to whom the personal data relating to you have been disclosed of this correction or deletion of the data or to notify restriction of processing. Unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.

Right to data portability in accordance with Art. 20 GDPR: You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request transmission to another person responsible, insofar as this is technically feasible.

Right to object in accordance with Art. 21 GDPR: You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data relating to you, which is based on Article 6 paragraph 1 letters e or f. Bayerische TelemedAllianz GmbH no longer processes the personal data unless it can demonstrate compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

Right to complain in accordance with Art. 77 GDPR: Without prejudice to other legal remedies, you have the right to complain to a supervisory authority at any time if you believe that the processing of personal data by Bayerische TelemedAllianz GmbH violates the provisions of the GDPR. The supervisory authority responsible for Bayerische TelemedAllianz GmbH is: Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, https://www.lda.bayern.de

12. Minors

Protecting the data of children and young people is very important, especially in the online area. The service offer "Spastik-App" is not designed for children and is not aimed at them. Use of our Services by minors is only permitted with the prior consent or authorization of a parent or legal guardian. We do not knowingly collect personal information from minors. If a parent or legal guardian becomes aware that his or her child has provided us with personal information without their consent, they may contact us at.

13. Updates/Changes

We reserve the right to regularly review this information on data protection and to adapt it to current technical and legal changes. You can find the date of the current version at the end of this privacy notice under "Status". Your continued use of our service offerings after such changes are posted constitutes your acceptance of such changes.

In the case of significant changes that may affect the rights of users, we will communicate the changes in advance in an appropriate manner and, if necessary, point out existing options for objection.

Stand 27.04.2022: Version 1.0