1. Scope

This data protection declaration informs you about the processing of personal data on the website www.caspar-health.com (hereinafter referred to as "website") as well as on the Caspar-Health app (hereinafter referred to as "Caspar software"). The app can be used both by means of the installed Caspar-Health app and directly via the web browser. The therapy portal (hereinafter "CASPAR") is operated on the app.

2. Responsible

GOREHA GmbH, Neue Schönhauser Str. 20, 10178 Berlin (hereinafter referred to as "we" or "us") is the responsible party pursuant to Article 4 (7) of the General Data Protection Regulation (DS-GVO) for all personal data collected on the Platform, unless this Privacy Policy contains different information.

3. Personal data

Personal data within the meaning of Art. 4 No. 1 DS-GVO are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. Special categories of personal data include, for example, data relating to your physical health, so-called health data within the meaning of Art. 4 No. 15 DS-GVO.

4. Processing when visiting our website

Our website does not use cookies.

When you visit our website, we collect personal data that your browser transmits to our server. We collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security.

These are:

  • The IP address of the user (only for 24 hours)
  • Name of the retrieved website or file
  • Date and time of access
  • Amount of data transferred
  • Message about successful retrieval
  • Browser type and version
  • Operating system of the user
  • End device used by the user, including MAC address
  • Referrer URL (the previously visited page) (24 hours)
  • Operating system and its interface
  • Language and version of the browser software

This data is not merged with other personal data that you actively provide within the framework of the website.

The server log files with the above data are automatically deleted after seven days. We reserve the right to store the server log files longer if facts exist that suggest the assumption of unauthorized access (such as an attempt at hacking or a so-called DOS attack). The legal basis is Art. 6 para. 1 p. 1 lit. f) DS-GVO. The legitimate interest is the provision of the website and its proper operation.

5. What is an IP address?

Every device (e.g. smartphone, tablet, PC) that is connected to the Internet is assigned an IP address. Which IP address this is depends on which Internet access your end device is currently connected to the Internet via. It can be the IP address assigned to you by your Internet provider, for example if you are connected to the Internet at home via your W-LAN. It can also be an IP address assigned to you by your mobile phone provider or the IP address of a provider of a public or private W-LAN or other Internet access. In its most common form (IPv4), the IP address consists of four blocks of digits separated by dots. In most cases, you as a private user will not use a constant IP address, as this is only assigned to you temporarily by your provider (so-called "dynamic IP address"). In the case of a permanently assigned IP address (so-called "static IP address"), a clear assignment of the user data via this characteristic is possible in principle. Except for the purpose of tracking unauthorized access to our website, we generally do not use this data in a personalized manner, but only evaluate on an anonymous basis which of our websites are favored, how many accesses occur daily, and the like.

6. Website contact form

You have the possibility to contact us via our contact form. To use our contact form, we first need the data marked as mandatory fields from you.

We use this data on the basis of Art. 6 (1) p. 1 lit. b) and f) DS-GVO to answer your inquiry.

In addition, you can decide for yourself whether you would like to provide us with further information. This information is provided voluntarily and is not mandatory for contacting us. We process your voluntary information on the basis of your consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO.

Your data will only be processed to respond to your inquiry. We will delete your data if it is no longer required and there are no legal retention obligations to the contrary.

7. Newsletter

We inform our customers as well as persons who have expressed their interest in CASPAR about further developments and new products as well as offers by our email newsletter. This is a voluntary registration for the newsletter. The legal basis for sending newsletters to our customers is Art. 6 para. 1 p. 1 lit. f) DS-GVO. Our legitimate interest results from our interest in direct advertising. Other interested persons receive the newsletter based on their consent according to Art. 6 para. 1 p. 1 lit. a) DS-GVO.

You can object to the use of your e-mail address for sending the newsletter at any time via a link in the respective newsletter or revoke your consent in this way. You can also send an e-mail to Datenschutz@goreha.com.

8. Use of the therapy portal CASPAR

Medical facilities and patients can set up CASPAR accounts to use the therapy portal. When creating a user account for our Caspar software, you will be asked to enter a number of personal data (in particular, title, first name, last name, street, postal code, city, country of residence, telephone, e-mail address, and possibly other data that we ask for as part of the registration process). However, only the country of residence is mandatory. You can always view and change the data under the heading "Patient account". If you have provided an e-mail address, you will receive an overview of your current therapy activities at regular intervals. You can unsubscribe from this at any time using the unsubscribe link. We collect, store and process your data mentioned in this section for the entire processing of your use of CASPAR, including any subsequent warranties. The details of this are regulated in the respective contracts and T&Cs concluded with the persons concerned. When using CASPAR, personal health data about patients will be processed only with their prior consent. This data is transferred to CASPAR by the medical facility or by the patients themselves. Data is exchanged only between patients and the medical facility providing care and the physicians employed there. They are not passed on to third parties.

The data will be stored as long as they are necessary for the use of CASPAR. Subsequently, the data will be deleted, unless there are other legal rights or obligations. A continuing use of CASPAR is assumed until the end of the respective contract period.

The legal basis for the processing is consent pursuant to Art. 6 (1) p. 1 lit. a) DS-GVO in conjunction with Art. 9 (2) lit. a) DS-GVO. Art. 9 para. 2 lit. a) DS-GVO.

The declarations of consent can be accessed in the respective account under the heading "Legal" at any time. Personal data of the therapists and non-health-related data of the patients are processed for the purpose of contract performance on the basis of Art. 6 para. 1 p. 1 lit. b) DS-GVO.

Personal data is stored and processed exclusively on servers in Germany. All doctors and therapists are subject to professional confidentiality. We commit our employees to confidentiality in the sense of the DS-GVO. Data transmissions are protected against access by third parties by means of encryption in accordance with the recognized state of the art.

9. Webinars, Surveys

While using the CASPAR therapy portal, it is possible to participate in webinars. These are offered synchronously with the therapy offer of the aftercare and represent a live extension in the area of knowledge and well-being. You will be informed about this via e-mail. Participation is voluntary and not a prerequisite for the use of CASPAR or for successful completion of therapy. The legal basis for this is Art. 6 para. 1 p. 1 lit. b) and lit. f) DS-GVO. Each e-mail contains an unsubscribe link by means of which the patient can opt out of receiving further information at any time.

While using CASPAR, it is possible to participate in surveys to improve the therapy as well as the therapy portal itself. Participation is voluntary and not a prerequisite for the use of CASPAR or for successful completion of therapy. For this purpose, we use SmartSurvey, SmartSurvey Ltd, Basepoint Business Center, Oakfield Close, Tewkesbury, Gloucestershire, GL20 8SD, United Kingdom. The majority of these surveys are anonymous, so no personal data is processed. If a survey is conducted using pseudonymized data, the legal basis for this is Article 6 (1) sentence 1 a) or Article 9 (2) a) DS-GVO. The legal basis for the processing is consent according to Art. 6 para. 1 p. 1 lit. a) DS-GVO in conjunction with. Art. 9 para. 2 lit. a) DS-GVO. The transfer takes place on the basis of Art. 45 (3) DS-GVO. The EU Commission has declared the United Kingdom to be a safe third country in an adequacy decision dated 28.6.2021. Further information under SmartSurvey Privacy Policiy

10. Data portability Art. 20 DS-GVO

We enable patients to connect and import your activity and health data from various sources (such as cell phones, smartwatches, fitness trackers and other digital health services such as Apple Health Kit or Google Fit). By connecting your account from another provider to CASPAR, you explicitly authorize us to transfer your data from that provider to your CASPAR account (the legal basis for this request is Article 20(1) of the DS-GVO). The collection of this information is voluntary and not required for the use of CASPAR. CASPAR does not transfer any data to these providers. For this purpose, we integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Bismarckstraße 10-12, 10625 Berlin, as part of an order processing agreement. mHealth Pioneers GmbH does not have access to any other data stored with CASPAR.

11. Data processing abroad

Any transfer of data to a third country takes place in compliance with the applicable data protection law. Insofar as the existence of an adequate level of protection has not been established for a third country by the European Commission, we provide appropriate safeguards to ensure adequate protection of your data. This can be done, for example, by concluding data processing contracts that contain EU standard data protection clauses as well as implementing further technical or organizational measures to ensure appropriate guarantees for the required level of protection.

GOREHA currently still occasionally uses service providers (order processors) who have their headquarters, affiliated companies or subcontractors in the USA. Despite implemented measures, GOREHA cannot completely exclude the possibility that your pseudonymized data will be accessed from the USA. In a decision dated 10.07.2023, the EU Commission decided that the EU-USA data protection framework provides an adequate level of protection within the meaning of Art. 45 DSGVO. In addition, we have implemented further measures to also ensure an adequate level of protection for processors that are not certified under the data protection framework by means of appropriate safeguards within the meaning of Article 46 of the DS-GVO.

12. Use of tracking and analysis tools

The functions of the Datadog service are integrated on our Caspar software. Datadog is a monitoring system provided by Datadog, Inc, 620 8th Ave, 45th Floor, New York, NY 10018 USA. The system notifies our development team about possible errors in the application. For this purpose, log data is transmitted to Datadog. Insofar as personal data also participates in the information thus transmitted, the processing is carried out pursuant to Art. 6 (1) lit. f DSGVO on the basis of our legitimate interest in an efficient error cause analysis to improve the reliability and functionality of the Caspar Software. In the event that sensitive personal data is also involved in the information transmitted, the transmission is carried out on the basis of Art. 9 (2) a) DS-GVO in the form of pseudonymized metadata. Further information on the collection and use of data by Datadog is available at: Privacy Policy | Datadog.

 

The transfer of the data to Datadog may invoke the adequacy decision within the meaning of Article 45 of the DS-GVO.

13. Processor, infrastructure and server functionality tools

In the area of communication, we have integrated SendBird Inc. 400 1st Avenue, San Mateo, CA 94401, USA as a service provider.  We use SendBird to handle all communication functions between medical service providers and patients within the Caspar software. In the event that sensitive personal data is involved, transmission to the USA takes place in the form of pseudonymized metadata on the basis of Art. 9 (2) a) DS-GVO.  For further information on the handling of user data at SendBird, please also refer to the Sendbird privacy policy: Privacy Policy | SendBird.

The transfer to Sendbird is based on appropriate safeguards within the meaning of Article 46 of the DS-GVO, which ensure an adequate level of protection for the data subjects with regard to the data processed.

 

We use Vonage, Vonage Holdings Corp, 251 Little Falls Drive, Wilmington, DE 19808, USA, as another communications tool. Vonage provides a communications solution for delivering end-to-end communications video, mobile apps, and collaboration tools. This also includes various analytics capabilities. In the event that sensitive personal data is involved, a transfer to the USA takes place in the form of pseudonymized metadata on the basis of Art. 9 (2) a) DS-GVO.  More detailed information can be found in Vonage's privacy policy at: Vonage Privacy Policy.

The transfer to Vonage is based on appropriate safeguards within the meaning of Article 46 of the DS-GVO, which ensure an adequate level of protection for data subjects with regard to the data processed.

 

When hosting our software, we rely on the services of Amazon Web Services Inc. (AWS), 410 Terry Avenue North Seattle, WA 98109-52-10, USA. The AWS servers we use are located in a data center in Frankfurt: Global Infrastructure Regions and AZ.

This is done on the basis of Art. 6 para. 1 lit. b), Art. 9 para. 2 lit. a) DS-GVO exclusively in pseudonymized form.

The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data. More information about security and data protection at AWS can be found here:  AWS Data Protection and here: GDPR - Amazon Web Services (AWS).

The current privacy policy of Amazon Web Services can be found at: Privacy Notice

The transfer of the data to Amazon Web Services may invoke the adequacy decision within the meaning of Article 45 DS-GVO. 

 

We use the services of Mailgun Technologies Inc, 535 Mission St. 14th Floor San Francisco, CA 94105, USA for the automatic sending of emails to our customers. In the event that personal data is affected by the transmission, this is done on the basis of Art. 6 (1) lit. b) DS-GVO. For more information about Mailgun's privacy policy, please visit: Mailgun Privacy Policy - Email API Service.

The transfer to Mailgun is based on appropriate safeguards within the meaning of Article 46 of the DS-GVO, which ensure an adequate level of protection for data subjects with regard to the data processed.

 

Our app uses the error analysis service Rollbar Inc, 51 Federal Street, San Francisco, CA 94107, USA.  This service reports technical errors that occur in the app to enable us to correct these errors immediately. The transfer of data takes place after an error has been detected. The purpose of the processing is the technical monitoring of our app and the documentation of error messages in order to ensure the technical stability of the app and to optimize it to enable our visitors to use our app as error-free as possible. The data transfer is only for troubleshooting purposes. In the event that sensitive personal data is involved, the transmission is based on Art. 9 (2) a) DS-GVO. The transmission takes place in the form of pseudonymized metadata. Further data protection information from Rollbar can be found under Privacy Policy as well as under: Data Processing Addendum.

The transfer of data to Rollbar may invoke the adequacy decision within the meaning of Art. 45 DSGVO. 

 

Our Caspar software uses Snowflake, Snowflake Computing Netherlands B.V., Gustav Mahlerlaan 300-314, Foz Building, 1082 ME, Netherlands (parent company Snowflake Inc. Delaware, USA), to process and provide data for our services. The data is provided in a pseudonymized form. This is done on the basis of Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) DS-GVO. For more information, see Privacy Notice | Snowflake. Snowflake is hosted on Amazon Web Services ("AWS"); AWS is accordingly subject to data protection certification in accordance with the Adequacy Decision of 10.07.2023, see item 13.

Our Caspar Software also uses SimplifyU, SimplifyU GmbH, Ehrwalder Straße 4, 82467 Garmisch-Partenkirchen, Germany, for quality management and document provision purposes. This is done on the basis of Art. 9 para. 2 lit. a) DS-GVO. Further information: Privacy Policy SimplifyU

 

We use Rapidmail, Rapidmail GmbH, Wentzingerstr. 21, 79106 Freiburg im Breisgau, Germany, for purposes of effective treatment and regular, individual status overview for patients. The basis for this is Art. 9 para. 2 lit. a) or Art. 6 para. 1 lit. a) DS-GVO. Further information: https://www.rapidmail.de/datenschutz.

 

We use Tableau and Salesforce, Salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany (parent company Salesforce Inc., USA) for sales, customer relations and marketing. A processing of personal data is based on Art. 6 para. 1 lit. b) DS-GVO as well as Art. 6 para. 1 lit. f) DS-GVO. In addition, the processing of Art. 9 para. 2 lit. a) DS-GVO data is pseudonymized.

The transfer of the data to Tableau may invoke the adequacy decision within the meaning of Article 45 DS-GVO. 

 

We use Smart Survey, Smart Survey Ltd, Basepoint Business Centre, Oakfield Close, Tewkesbury, Gloucestershire, GL 20 8SD, United Kingdom, to conduct patient surveys. The majority of these surveys are anonymous, so no personal data are processed. If a survey is conducted using pseudonymized data, the legal basis for this is Art. 6 (1) a) or Art. 9 (2) a) DS-GVO. Participation in the surveys is voluntary, there is no obligation. Further information: Privacy Policy - SmartSurvey

The transfer of the data to SmartSurvey may invoke the adequacy decision within the meaning of Article 45 DS-GVO.

14. Push messages

 We also use the SendBird service to send you push messages or so-called in-app messages to your end device. If you use our app via a push-enabled end device, you can consent to receiving "push notifications". In doing so, your end device is assigned a pseudonymized Device Token ID, a unique connection number generated from the device ID, by means of which we can address the push notifications or in-app messages to you. The processing of possible personal data is carried out in accordance with Art. 6 para. 1 lit. a) DS-GVO. You can change the consent to the notification by push messages at any time in the settings in the app.

15. Use of data for research purposes

You have the option of providing your data (in pseudonymized form) for medical research, the basis for which is Art. 9 (2) a) DS-GVO. Medical research serves exclusively to improve the detection, treatment and prevention of diseases. Your data would be used for many different research purposes in the sense of a broad benefit for the general public. At this time, not all future medical research content can be described. Thus, your data may be used for research questions that cannot be foreseen today. For this purpose, your patient data shall be stored for 10 years from the time of your consent. 

Your patient data may be made available by universities, research institutes and research companies upon request for medical research purposes. Your data may only be used by the recipient for the predetermined and requested research purpose and may not be passed on for other purposes. In order to protect your data in the best possible way, the data will only be passed on pseudonymized in such a way that the data can no longer be assigned to your person or only with disproportionate effort by the recipient. We would like to draw your attention to the fact that there is a residual risk of traceability to your person whenever data is collected, stored and transmitted within the scope of research projects involving patient data by adding further information, e.g. from the Internet or social networks. This is particularly the case if you publish genetic or other health data on the Internet, e.g. for genealogical research.

Your consent to the sharing of your data for research purposes is voluntary. You may revoke your consent to the scientific use of your data, in whole or in part, at any time without giving reasons and without adverse consequences by sending a message to Datenschutz@goreha.com.

16. Your rights

You have the following rights with respect to us regarding personal data concerning you:

  • Right of access (Art. 15 DS-GVO),
  • Right to rectification (Art. 16 DS-GVO),
  • Right to erasure (Art. 17 DS-GVO),
  • Right to restriction of processing (Art. 18 DS-GVO),
  • Right to data portability (Art. 20 DS-GVO),
  • Right to object to processing (Art. 21 DS-GVO).

You have the right to revoke your consent at any time (Art. 7 (3) DSGVO).  The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. A revocation of a declaration of consent affects the permissibility of future processing of your personal data. Use of the corresponding services is no longer possible after revocation.

If you wish to exercise your aforementioned rights, you can contact Datenschutz@goreha.com at any time for this purpose.

You also have the right to complain to a data protection supervisory authority about our processing of your personal data.

17. Duration of data retention

In addition to the other clauses of this privacy policy, the following applies:

We store personal data only for as long as is necessary to fulfill the respective purposes for which the data was collected. Further processing may take place in individual cases if this is legally permissible, for example for the assertion, exercise or defense of legal claims, or if there is an obligation to retain the data (Art. 77 DSGVO).

18. Encrypted data transmission

Your personal data is transmitted in encrypted form to prevent misuse by third parties, and we use state-of-the-art encryption for this purpose (data transmission via Transport Layer Security 1.2.). This is a common security technology that encrypts your personal data, including login data and your sensitive personal data during transport. Please note that no one hundred percent security can be guaranteed when transferring data over the Internet.

19. Online presence

We maintain online presences within social networks and on our website in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and website, the terms and conditions and data processing policies of the respective operators apply. Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and website, e.g. send us messages. Social networks / platforms used by us: Instagram, LinkedIn, Facebook.

The data controller for Instagram and Facebook is Meta Platforms Ireland Limited. The data controller for LinkedIn is LinkedIn Ireland if users are based in the EU or EEA, otherwise LinkedIn Corporation (USA).

20. Questions to the Data Protection Officer

If you have any questions about data protection, please write us an e-mail or contact our data protection officer directly.


Datenschutz@goreha.com

Your contact person Elisabeth Hegele, Office Management, is happy to help!

+ 49 (0) 30 555 7829 19
office@caspar-health.com