1. Scope

This data protection declaration informs you about the processing of personal data on the internet presence www.caspar-health.com (hereinafter "website") as well as on the Caspar-Health platform ( hereinafter "platform"). The platform can be used both by means of the installed Caspar-Health app and directly via the web browser. The therapy portal (hereinafter "CASPAR") is operated on the platform.

2. Responsible

GOREHA GmbH, Neue Schönhauser Str. 20, 10178 Berlin (hereinafter referred to as "we" or "us") is the responsible party pursuant to Article 4 (7) of the General Data Protection Regulation (GDPR) for all personal data collected on the Platform, unless this Privacy Policy contains different information.

3. Personal data

Personal data in the sense of Art. 4 No. 1 GDPR are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. Special categories of personal data include, for example, data relating to your physical health, so-called health data within the meaning of Art. 4 No. 15 GDPR.

4. Processing when visiting our website

Our website does not use cookies. 

When you visit our website, we collect personal data that your browser transmits to our server. We collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security. These are: 

  • The IP address of the user
  • Name of the retrieved platform or file 
  • Date and time of access
  • data volume transferred
  • Message about successful retrieval
  • Browser type and version
  • Operating system of the user
  • used terminal device of the user, including MAC address
  • Referrer URL (the previously visited page) 
  • Operating system and its interface
  • Language and version of the browser software

This data is not merged with other personal data that you actively provide as part of the website. The server log files containing the above data are automatically deleted after seven days. We reserve the right to store the server log files for longer if facts exist that suggest the assumption of unauthorized access (such as an attempt at hacking or a so-called DOS attack). The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR. The legitimate interest is the provision of the website and its proper operation.

5. What is an IP address?

Every device (e.g. smartphone, tablet, PC) that is connected to the Internet is assigned an IP address. Which IP address this is depends on the Internet access via which your end device is currently connected to the Internet. It can be the IP address assigned to you by your Internet provider, for example if you are connected to the Internet at home via your W-LAN. It can also be an IP address assigned to you by your mobile phone provider or the IP address of a provider of a public or private W-LAN or other Internet access. In its most common form (IPv4), the IP address consists of four blocks of digits separated by dots. In most cases, you as a private user will not use a constant IP address, as this is only temporarily assigned to you by your provider (so-called "dynamic IP address"). In the case of a permanently assigned IP address (so-called "static IP address"), a clear assignment of the user data via this characteristic is possible in principle. Except for the purpose of tracking unauthorized access to our website, we do not use this data in a personalized manner, but only evaluate on an anonymous basis which of our websites are favored, how many accesses occur daily and the like.

6. Website contact form

You have the possibility to contact us via our contact form. To use our contact form, we first need the data marked as mandatory fields from you. We use this data on the basis of Art. 6 para. 1 p. 1 lit. f GDPR to answer your inquiry. In addition, you can decide for yourself whether you would like to provide us with further information. This information is provided voluntarily and is not mandatory for contacting you. We process your voluntary information on the basis of your consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO. Your data will only be processed to respond to your inquiry. We will delete your data if it is no longer required and there are no legal retention obligations to the contrary. 

7. Newsletter

Existing customers and interested parties who have expressed their interest in CASPAR, we inform through our email newsletter about further developments and new products and offers.  You can object to the use of your email address for sending the newsletter at any time via a link in the respective newsletter. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR. The legitimate interest follows from the information of customers.

8. Use of the therapy portal CASPAR

Medical facilities and patients can set up CASPAR accounts to use the therapy portal. When creating a user account for our platform, you will be asked to enter a number of personal data (in particular, title, first name, last name, street, postal code, city, country of residence, telephone, e-mail address and possibly other data that we ask for during registration). However, only the country of residence is mandatory. You can always view and change the data under the heading "Patient account". f you have provided an e-mail address, you will receive an overview of your current therapy activities at regular intervals. You can unsubscribe from this at any time using the unsubscribe link. We collect, store and process your, in this section mentioned, data for the entire handling of your use of CASPAR, including possible later warranties. The details of this are regulated in the respective contracts and T&Cs concluded with the persons concerned. When using CASPAR, personal health data about patients will be processed only with their prior consent. This data is transferred to CASPAR by the medical facility or by the patients themselves. Data is exchanged only between patients and the medical facility providing care and the physicians employed there. They are not passed on to third parties. 

The data is stored as long as it is required for the use of CASPAR. Afterwards, the data will be deleted, unless there are legal rights or obligations to the contrary. Continuous use of CASPAR is assumed until the end of the respective contract period. The legal basis for the processing is consent in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR in conjunction with. Art. 9 para. 2 lit. a) GDPR.  The declarations of consent can be accessed in the respective account under the heading "Legal" at any time. Personal data of the therapists and non-health-related data of the patients are processed for the purpose of contract performance on the basis of Art. 6 para. 1 p. 1 lit. b) GDPR.

The personal data is stored and processed exclusively on servers in Germany. All doctors and therapists are subject to professional confidentiality. We commit our employees to confidentiality in the sense of the GDPR. Data transmissions are protected against access by third parties by means of encryption in accordance with the recognized state of the art.

9. Webinars, Surveys

While using the CASPAR therapy portal there is the opportunity to participate in webinars. These are offered synchronously with the therapy of the aftercare and represent a live extension in the area of knowledge and well-being. You will be informed about the upcoming webinars via e-mail. Participation is voluntary and not a prerequisite for the use of CASPAR or for successful completion of therapy.  The legal basis for this is Art. 6 para. 1 p. 1 lit. b) and lit. f) GDPR. Each e-mail contains an unsubscribe link to opt out of receiving further information at any time.

While using CASPAR, it is possible to participate in surveys to improve the therapy as well as the therapy portal itself. Participation is voluntary and not a prerequisite for the use of CASPAR or for successful completion of therapy. For this purpose, we use SmartSurvey, SmartSurvey Ltd, Basepoint Business Center, Oakfield Close, Tewkesbury, Gloucestershire, GL20 8SD, United Kingdom. The majority of these surveys are anonymous, so no personal data is processed. If a survey is conducted using pseudonymized data, the legal basis for the processing is Art. 6 para 1 p. 1 lit. a) DS-GVO in conjunction with Art. 9 para. 2 lit. a) DS-GVO. The transfer takes place on the basis of Art. 45 para. 3 DS-GVO, the EU Commission has declared the United Kingdom to be a safe third country in the context of an adequacy decision of 28.6.2021. For further information: Privacy Policy SmartSurvey

10. Data portability Art. 20 GDPR

We enable patients to connect and import your activity and health data from various sources (such as cell phones, smartwatches, fitness trackers and other digital health services like Apple Health Kit or Google Fit). By connecting your account from another provider to CASPAR, you explicitly authorize us to transfer your data from that provider to your CASPAR account (the legal basis for this request is Art. 20 para.1 of the GDPR). The collection of this information is voluntary and not required for the use of CASPAR. CASPAR does not transfer any data to these providers. For this purpose, we integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Bismarckstraße 10-12, 10625 Berlin, as part of an order processing agreement. mHealth Pioneers GmbH does not have access to any other data stored with CASPAR.

11. Use of tracking and analysis tools

As part of CASPAR, we use Firebase from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043. Firebase uses information about your smartphone. These include, in particular, performance monitoring and error logs. We also need data from your terminal device to measure the functionality of the app. This enables us to record error and crash reports about the app in a timely manner and thus take necessary measures to ensure the app's functionality (crashlytics). Information about your smartphone and operating system, e.g. your app build number, app version, device manufacturer and device model, is transmitted to Firebase. Analytics functions that go beyond this are deactivated in Firebase. Relevant transfers to Firebase are based on the new standard contractual clauses as well as the conditions that go along with them. Details on data protection can be found at: Privacy Policy and Terms of Use. Your data will be stored until it is no longer necessary for the purpose for which it was collected. Firebase data is deleted after 180 days at the latest.  The legal basis for the collection and processing is your consent pursuant to Art. 6 (1) p. 1 lit. a) GDPR. You can revoke this at any time with effect for the future (see section 15). 

12. Processor, infrastructure and server functionality tools

In the area of communication, we have integrated SendBird Inc. 400 1st Avenue, San Mateo, CA 94401, USA as a service provider.  We use SendBird to handle all communication functions between medical service providers and patients within the platform. In the event that sensitive personal data is involved, transmission to the USA takes place in the form of pseudonymized metadata on the basis of Art. 9 (2) lit a) GDPR.  Further information on the handling of user data at SendBird can also be found in the Sendbird privacy policy: Privacy Policy | SendBird

We also use Vonage, formerly Nexmo, Vonage Holdings Corp, 251 Little Falls Drive, Wilmington, DE 19808, USA, as another communications tool. Vonage provides a communications solution for delivering end-to-end communications video, mobile applications and collaboration tools. This also includes various analytics capabilities. In the event that sensitive personal data is involved, a transfer to the USA takes place in the form of pseudonymized metadata on the basis of Art. 9 (2) lit a) GDPR.  More information can be found in Vonage's privacy policy at: Vonage Privacy Policy

When hosting our software, we rely on the services of Amazon Web Services Inc (AWS), 410 Terry Avenue North Seattle, WA 98109-52-10, USA. The AWS servers we use are located in a data center in Frankfurt:Global Infrastructure Regions. The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data. A possible data transfer to the USA is based on the new standard contractual clauses of the EU Commission and the associated requirements (see item 12). Details can be found at: AWS GRPD Data Processing Agreement This is done on the basis of Art. 6 para. 1 lit. b), Art. 9 para. 2 lit. a) GDPR as well as § 26 BDSG exclusively in pseudonymized form. You can find more information about security and data protection at AWS here: AWS Data Protection and here: DSGVO – Amazon Web Services (AWS). The current privacy policy of Amazon Web Services can be found at: Data Privacy

We use the services of Mailgun Technologies Inc, 535 Mission St. 14th Floor San Francisco, CA 94105, USA for the automatic sending of emails to our customers. In the event that personal data is affected by the transmission, this is done on the basis of Art. 6 (1) lit. b) GDPR. For more information about Mailgun's privacy policy, please visit: Mailgun Privacy Policy - Email API Service   

Our app uses the error analysis service Rollbar Inc, 51 Federal Street, San Francisco, CA 94107, USA.  This service reports technical errors that occur in the app to enable us to correct these errors immediately. The transfer of data takes place after an error has been detected. The purpose of the processing is the technical monitoring of our app and the documentation of error messages in order to ensure the technical stability of the app and to optimize it to enable our visitors to use our app as error-free as possible. The data transfer is only for troubleshooting purposes. In the event that sensitive personal data is involved, the transmission is based on Art. 9 (2) a) GDPR. The transmission takes place in the form of pseudonymized metadata. Further data protection information from Rollbar can be found under Privacy Policy as well as under: Data Processing Addendum

Our platform uses Snowflake, Snowflake Computing Netherlands B.V., Gustav Mahlerlaan 300-314, Foz Building, 1082 ME, Netherlands (parent company Snowflake Inc. Delaware, USA), to process and provide data for our services. The data is provided in a pseudonymized form. This is done on the basis of Art. 6 para. 1 lit a) and Art. 9 para. 2 lit a) GDPR. Further information under: Privacy Notice | Snowflake  

Our platform also uses SimplifyU, SimplifyU GmbH, Ehrwalder Straße 4, 82467 Garmisch-Partenkirchen, Germany, for quality management and document provision purposes. This is done on the basis of Art. 9 (2) lit a) GDPR. Further information: Data Privacy Declaration SimplifyU 

We use Salesforce, Salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany (parent company Salesforce Inc. USA) for sales, customer relations and marketing. The processing of personal customer data is based on Art. 6 para. 1 lit. b) GDPR as well as Art. 6 para. 1 lit. f) GDPR. Further information: Privacy Policy - Salesforce.com

13. Data processing in America

We currently still occasionally use service providers (order processors) who have a registered office or subcontractor in the USA and in doing so cannot exclude the possibility that your pseudonymized (meta)data is accessed from the USA. So far, we have no knowledge that the authorities from the USA actually have access. According to the case law of the ECJ (judgment of 16.07.2020, Ref.: C-311/18 ("Schrems II")), there is no adequate level of data protection in the USA. Therefore, we use new standard contractual clauses ("SCC") with our processors that are based in the USA or whose parent companies are headquartered in the USA and conduct a mandatory risk assessment for the transfer prior to the transfer. Furthermore, government surveillance measures may occur in the US. Individual remedies for violations of FISA Section 702 are also available to EU citizens against this. However, if this is not considered sufficient legal protection , data processing in the USA in connection with the use of CASPAR is based on consent within the meaning of Article 49 para. 1 lit. a) of the GDPR. This consent can be revoked at any time with effect for the future at privacy@goreha.com.

14. Push-Messages

We also use the SendBird service to send you push messages or so-called in-app messages to your end device. If you use our app via a push-enabled end device, you can consent to receiving "push notifications". In doing so, your end device is assigned a pseudonymized Device Token ID, a unique connection number generated from the device ID, by means of which we can address the push notifications or in-app messages to you. The processing of possible personal data is carried out in accordance with Art. 6 para. 1 lit. a) GDPR. You can change the consent to the notification by push messages at any time in the settings in the app.

15. Use of data for research purposes

You have the option to provide your data (in pseudonymized form) for medical research on the basis of Art. 9 (2) a) GDPR. Medical research serves exclusively to improve the detection, treatment and prevention of diseases. Your data would be used for many different research purposes in the spirit of broad public benefit. At this time, not all future medical research content can be described. Thus, your data may be used for research questions that cannot be foreseen today. For this purpose, your patient data shall be stored for 10 years from the time of your consent.

Your patient data may be made available by universities, research institutes and research companies upon request for medical research purposes. Your data may only be used by the recipient for the predetermined and requested research purpose and may not be passed on for other purposes. In order to protect your data in the best possible way, the data will only be passed on pseudonymized in such a way that the data can no longer be assigned to your person or only with disproportionate effort by the recipient. We would like to draw your attention to the fact that there is a residual risk of traceability to your person whenever data is collected, stored and transmitted within the scope of research projects involving patient data by adding further information, e.g. from the Internet or social networks. This is particularly the case if you publish genetic or other health data on the Internet, e.g. for genealogical research.

Your consent to the disclosure of your data for research purposes is voluntary. You can revoke your consent to the scientific use of your data in whole or in part at any time without giving reasons and without adverse consequences by sending a message to privacy@goreha.com.

16. Your rights

You have the following rights in relation to us in respect of personal data relating to you:

  • Right of access,
  • Right of rectification or erasure,
  • Right to revoke consent given
  • Right to restrict processing,
  • Right to object to processing,
  • Right to data portability.

A revocation of a declaration of consent affects the permissibility of processing your personal data after you have expressed it to us. Use of the corresponding services is then no longer possible. If you wish to exercise your aforementioned rights, you can contact privacy@goreha.com at any time for this purpose.

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

17. Duration of data retention

In addition to the other clauses of this Privacy Policy, the following applies:

We store personal data only for as long as is necessary to fulfill the respective purposes for which the data was collected. Further processing may take place in individual cases if this is legally permissible, for example for the assertion, exercise or defense of legal claims, or if there is an obligation to retain the data.

18. Encrypted data transmission

Your personal data is transmitted in encrypted form to prevent misuse by third parties, and we use state-of-the-art encryption for this purpose (data transmission via Transport Layer Security 1.2.). This is a common security technology that encrypts your personal data, including login data and your sensitive personal data during transport. Please note that no one hundred percent security can be guaranteed when transferring data over the Internet.

19. Online presence

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operators apply. Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. by sending us messages. Social networks / platforms used by us: Instagram, LinkedIn, Facebook. The data controller for Instagram and Facebook is Meta Platforms Ireland Limited. The data controller for LinkedIn is LinkedIn Ireland if users are based in the EU or EEA, otherwise LinkedIn Corporation (USA).

20. Questions to the Data Protection Officer

If you have any questions about data protection, please write us an e-mail or contact our data protection officer directly.


Our certification

ips seal of approval

go to privacy certificate

Our certification

ips seal of approval

go to privacy certificate

Your contact person Elisabeth Hegele, Office Management, is happy to help!

+ 49 (0) 30 555 7829 19