1. Scope

This data protection declaration informs you about the processing of personal data on the internet presence www.caspar-health.com (hereinafter "website") as well as on the Caspar-Health platform ( hereinafter "platform"). The platform can be used both by means of the installed Caspar-Health app and directly via the web browser. The therapy portal (hereinafter "CASPAR") is operated on the platform.

2. Responsible

GOREHA GmbH, Neue Schönhauser Str. 20, 10178 Berlin (hereinafter referred to as "we" or "us") is the responsible party pursuant to Article 4 (7) of the General Data Protection Regulation (GDPR) for all personal data collected on the Platform, unless this Privacy Policy contains different information.

3. Personal data

Personal data in the sense of Art. 4 No. 1 GDPR are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. Special categories of personal data include, for example, data relating to your physical health, so-called health data within the meaning of Art. 4 No. 15 GDPR.

4. Processing when visiting our website

Our website uses only technically necessary cookies.

When visiting our website, the user's IP address is processed, as this is technically necessary to be able to display our website to you and to ensure its stability and security. In addition, data logs are deleted within 24 hours.

  • The IP address of the user
  • Name of the retrieved platform or file 
  • Date and time of access
  • data volume transferred
  • Message about successful retrieval
  • Browser type and version
  • Operating system of the user
  • used terminal device of the user, including MAC address
  • Referrer URL (the previously visited page) 
  • Operating system and its interface
  • Language and version of the browser software

This data is not merged with other personal data that you actively provide as part of the website.

The server log files with the above-mentioned data are automatically deleted after 24 hours, in exceptional cases after seven days. We reserve the right to store the server log files for longer if facts exist that suggest the assumption of unauthorized access (such as an attempt at hacking or a so-called DOS attack). The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR. The legitimate interest is the provision of the website and its proper operation.

5. What is an IP address?

Every device (e.g. smartphone, tablet, PC) that is connected to the Internet is assigned an IP address. Which IP address this is depends on the Internet access via which your end device is currently connected to the Internet. It can be the IP address assigned to you by your Internet provider, for example if you are connected to the Internet at home via your W-LAN. It can also be an IP address assigned to you by your mobile phone provider or the IP address of a provider of a public or private W-LAN or other Internet access. In its most common form (IPv4), the IP address consists of four blocks of digits separated by dots. In most cases, you as a private user will not use a constant IP address, as this is only temporarily assigned to you by your provider (so-called "dynamic IP address"). In the case of a permanently assigned IP address (so-called "static IP address"), a clear assignment of the user data via this characteristic is possible in principle. Except for the purpose of tracking unauthorized access to our website, we do not use this data in a personalized manner, but only evaluate on an anonymous basis which of our websites are favored, how many accesses occur daily and the like.

6. Website contact form

You have the possibility to contact us via our contact form. To use our contact form, we first need the data marked as mandatory fields from you. We use this data on the basis of Art. 6 para. 1 p. 1 lit. f GDPR to answer your inquiry. In addition, you can decide for yourself whether you would like to provide us with further information. This information is provided voluntarily and is not mandatory for contacting you. We process your voluntary information on the basis of your consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO. Your data will only be processed to respond to your inquiry. We will delete your data if it is no longer required and there are no legal retention obligations to the contrary. 

7. Newsletter

Existing customers and interested parties who have expressed their interest in CASPAR, we inform through our email newsletter about further developments and new products and offers.  You can object to the use of your email address for sending the newsletter at any time via a link in the respective newsletter. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR. The legitimate interest follows from the information of customers.

8. Use of the therapy portal CASPAR

Medical facilities and patients can set up CASPAR accounts to use the therapy portal. When creating a user account for our platform, you will be asked to enter a number of personal data (in particular, title, first name, last name, street, postal code, city, country of residence, telephone, e-mail address and possibly other data that we ask for during registration). However, only the country of residence is mandatory. You can always view and change the data under the heading "Patient account". f you have provided an e-mail address, you will receive an overview of your current therapy activities at regular intervals. You can unsubscribe from this at any time using the unsubscribe link. We collect, store and process your, in this section mentioned, data for the entire handling of your use of CASPAR, including possible later warranties. The details of this are regulated in the respective contracts and T&Cs concluded with the persons concerned. When using CASPAR, personal health data about patients will be processed only with their prior consent. This data is transferred to CASPAR by the medical facility or by the patients themselves. Data is exchanged only between patients and the medical facility providing care and the physicians employed there. They are not passed on to third parties. 

The data is stored as long as it is required for the use of CASPAR. Afterwards, the data will be deleted, unless there are legal rights or obligations to the contrary. Continuous use of CASPAR is assumed until the end of the respective contract period. The legal basis for the processing is consent in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR in conjunction with. Art. 9 para. 2 lit. a) GDPR.  The declarations of consent can be accessed in the respective account under the heading "Legal" at any time. Personal data of the therapists and non-health-related data of the patients are processed for the purpose of contract performance on the basis of Art. 6 para. 1 p. 1 lit. b) GDPR.

The personal data is stored and processed exclusively on servers in Germany. All doctors and therapists are subject to professional confidentiality. We commit our employees to confidentiality in the sense of the GDPR. Data transmissions are protected against access by third parties by means of encryption in accordance with the recognized state of the art.

9. Webinars, Surveys

While using the CASPAR therapy portal there is the opportunity to participate in webinars. These are offered synchronously with the therapy of the aftercare and represent a live extension in the area of knowledge and well-being. You will be informed about the upcoming webinars via e-mail. Participation is voluntary and not a prerequisite for the use of CASPAR or for successful completion of therapy.  The legal basis for this is Art. 6 para. 1 p. 1 lit. b) and lit. f) GDPR. Each e-mail contains an unsubscribe link to opt out of receiving further information at any time.

While using CASPAR, it is possible to participate in surveys to improve the therapy as well as the therapy portal itself. Participation is voluntary and not a prerequisite for the use of CASPAR or for successful completion of therapy. A majority of these surveys are anonymous, so no personal data are processed. If a survey is conducted using pseudonymized data, the legal basis for this is Article 6 (1) sentence 1 a) or Article 9 (2) a) GDPR.

10. Data portability Art. 20 GDPR

We enable patients to connect and import your activity and health data from various sources (such as cell phones, smartwatches, fitness trackers and other digital health services like Apple Health Kit or Google Fit). By connecting your account from another provider to CASPAR, you explicitly authorize us to transfer your data from that provider to your CASPAR account (the legal basis for this request is Art. 20 para.1 of the GDPR). The collection of this information is voluntary and not required for the use of CASPAR. CASPAR does not transfer any data to these providers.

11. Use of tracking and analysis tools

As part of CASPAR, we use information about your smartphone. These include, in particular, performance monitoring and error logs. We also need data from your end device to measure the functionality of the app. This enables us to record error and crash reports about the app in a timely manner and thus take necessary measures to ensure the app's functionality (crashlytics). For this purpose, information about your smartphone and operating system, e.g. your app build number, app version, device manufacturer and device model, is transmitted. Your data is stored until it is no longer required for the purpose for which it was collected. Monitoring data is deleted after 180 days at the latest. The legal basis for the collection and processing is your consent pursuant to Art. 6 (1) p. 1 lit. a) GDPR. You can revoke this at any time with effect for the future (see section 15).

Another monitoring system notifies our development team about possible errors in the application. Log data is transmitted for this purpose. If personal data is also involved in the information transmitted in this way, the processing is carried out in accordance with Art. 6 (1) f) GDPR on the basis of our legitimate interest in an efficient error cause analysis to improve the reliability and functionality of our website. In the event that sensitive personal data also participates in the transmitted information, the transmission takes place on the basis of Art. 9 (2) a) GDPR in the form of pseudonymized metadata.

12. Subprocessor

As part of CASPAR, we offer a communications solution for the provision of end-to-end communications video, mobile applications and collaboration tools. This also includes various analytics capabilities. In the event that sensitive personal data is involved, a transfer to the USA takes place in the form of pseudonymized metadata on the basis of Art. 9 (2) a) GDPR.

When hosting our platform, we rely on an external, certified hosting provider with data centers in Germany, the legal basis for this is Art. 6 (1) lit. a) GDPR.

We process your data to conduct patient surveys. A large part of these surveys are anonymous, so that no personal data are processed. If a survey is conducted using pseudonymized data, the legal basis for this is Art. 6 (1) a) or Art. 9 (2) a) GDPR. Participation in the surveys is voluntary, there is no obligation and participation is not a prerequisite for successful completion of therapy.

Upon request, you can obtain a detailed list of our currently used subprocessors: datenschutz@goreha.com.

13. Data processing in America

We currently still occasionally use service providers (order processors) who have a registered office or subcontractor in the USA and in doing so cannot exclude the possibility that your pseudonymized (meta)data is accessed from the USA. So far, we have no knowledge that the authorities from the USA actually have access. According to the case law of the ECJ (judgment of 16.07.2020, Ref.: C-311/18 ("Schrems II")), there is no adequate level of data protection in the USA. Therefore, we use new standard contractual clauses ("SCC") with our processors that are based in the USA or whose parent companies are headquartered in the USA and conduct a mandatory risk assessment for the transfer prior to the transfer. Furthermore, government surveillance measures may occur in the US. Individual remedies for violations of FISA Section 702 are also available to EU citizens against this. However, if this is not considered sufficient legal protection , data processing in the USA in connection with the use of CASPAR is based on consent within the meaning of Article 49 para. 1 lit. a) of the GDPR. This consent can be revoked at any time with effect for the future at privacy@goreha.com.

14. Push-Messages

We offer you the option to receive push messages or so-called in-app messages on your end device. If you use our app via a push-enabled end device, you can consent to receiving "push notifications". In doing so, your end device is assigned a pseudonymized Device Token ID, a unique connection number generated from the device ID, by means of which we can address the push notifications or in-app messages to you. The processing of possible personal data is carried out in accordance with Art. 6 para. 1 lit. a) GDPR. You can change the consent to the notification by push messages at any time in the settings in the app.

15. Use of data for research purposes

You have the option to provide your data (in pseudonymized form) for medical research on the basis of Art. 9 (2) a) GDPR. Medical research serves exclusively to improve the detection, treatment and prevention of diseases. Your data would be used for many different research purposes in the spirit of broad public benefit. At this time, not all future medical research content can be described. Thus, your data may be used for research questions that cannot be foreseen today. For this purpose, your patient data shall be stored for 10 years from the time of your consent.

Your patient data may be made available by universities, research institutes and research companies upon request for medical research purposes. Your data may only be used by the recipient for the predetermined and requested research purpose and may not be passed on for other purposes. In order to protect your data in the best possible way, the data will only be passed on pseudonymized in such a way that the data can no longer be assigned to your person or only with disproportionate effort by the recipient. We would like to draw your attention to the fact that there is a residual risk of traceability to your person whenever data is collected, stored and transmitted within the scope of research projects involving patient data by adding further information, e.g. from the Internet or social networks. This is particularly the case if you publish genetic or other health data on the Internet, e.g. for genealogical research.

Your consent to the disclosure of your data for research purposes is voluntary. You can revoke your consent to the scientific use of your data in whole or in part at any time without giving reasons and without adverse consequences by sending a message to privacy@goreha.com.

16. Your rights

You have the following rights in relation to us in respect of personal data relating to you:

  • Right of access,
  • Right of rectification or erasure,
  • Right to revoke consent given
  • Right to restrict processing,
  • Right to object to processing,
  • Right to data portability.

A revocation of a declaration of consent affects the permissibility of processing your personal data after you have expressed it to us. Use of the corresponding services is then no longer possible. If you wish to exercise your aforementioned rights, you can contact privacy@goreha.com at any time for this purpose.

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

17. Duration of data retention

In addition to the other clauses of this Privacy Policy, the following applies:

We store personal data only for as long as is necessary to fulfill the respective purposes for which the data was collected. Further processing may take place in individual cases if this is legally permissible, for example for the assertion, exercise or defense of legal claims, or if there is an obligation to retain the data.

18. Encrypted data transmission

Your personal data is transmitted in encrypted form to prevent misuse by third parties, and we use state-of-the-art encryption for this purpose (data transmission via Transport Layer Security 1.2.). This is a common security technology that encrypts your personal data, including login data and your sensitive personal data during transport. Please note that no one hundred percent security can be guaranteed when transferring data over the Internet.

19. Online presence

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operators apply. Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. by sending us messages. Social networks / platforms used by us: Instagram, LinkedIn, Facebook. The data controller for Instagram and Facebook is Meta Platforms Ireland Limited. The data controller for LinkedIn is LinkedIn Ireland if users are based in the EU or EEA, otherwise LinkedIn Corporation (USA).

20. Questions to the Data Protection Officer

If you have any questions about data protection, please write us an e-mail or contact our data protection officer directly.


Your contact person Elisabeth Hegele, Office Management, is happy to help!

+ 49 (0) 30 555 7829 19