1.  Area of application

This data protection declaration informs you about the processing of personal data on the website www.caspar-health.com (hereinafter referred to as "website") as well as in the Caspar-Health app (hereinafter referred to as "app") (website and app together hereinafter referred to as "platform").

2. Responsible

GOREHA GmbH, Neue Schönhauser Str. 20, 10178 Berlin (hereinafter referred to as "we" or "us") is the responsible party pursuant to Art. 4 (7) of the General Data Protection Regulation (DS-GVO) for all personal data collected on the platform, unless this data protection declaration contains deviating information.

3. Personal data

Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour. 

4.  Automatic processing when visiting the platform

In the case of merely informational use of the platform, i.e. if your treating institution does not provide us with any personal data or you do not otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our Platform, we collect the following data, which is technically necessary for us to display our Platform to you and to ensure stability and security. These are: 

  • The IP address of the user
  • Name of the retrieved platform or file 
  • Date and time of access
  • data volume transferred
  • Message about successful retrieval
  • Browser type and version
  • Operating system of the user
  • used terminal device of the user, including MAC address
  • Referrer URL (the previously visited page) 
  • Operating system and its interface
  • Language and version of the browser software

This data is not merged with other personal data that you actively provide within the framework of the website.

The server log files with the above data are automatically deleted after seven days. We reserve the right to store the server log files longer if facts exist that suggest the assumption of unauthorized access (such as an attempt at hacking or a so-called DOS attack). The legal basis is Art. 6 para. 1 p. 1 lit. f) DS-GVO. The legitimate interest is the provision of the platform and its proper operation. 

5. What is an IP address?

Every device (e.g. smartphone, tablet, PC) that is connected to the Internet is assigned an IP address. Which IP address this is depends on the Internet access via which your end device is currently connected to the Internet. It can be the IP address assigned to you by your Internet provider, for example if you are connected to the Internet at home via your W-LAN. It can also be an IP address assigned to you by your mobile phone provider or the IP address of a provider of a public or private W-LAN or other Internet access. In its most common form (IPv4), the IP address consists of four blocks of digits separated by dots. In most cases, you as a private user will not use a constant IP address, as this is only temporarily assigned to you by your provider (so-called "dynamic IP address"). In the case of a permanently assigned IP address (so-called "static IP address"), a clear assignment of the user data via this characteristic is possible in principle. Except for the purpose of tracking unauthorized access to our website, we do not use this data in a personalized manner, but only evaluate on an anonymous basis which of our websites are favored, how many accesses occur daily and the like.

6. Contact form and captcha

You have the possibility to contact us via our contact form. To use our contact form, we first need the data marked as mandatory fields from you.

We use this data on the basis of Art. 6 para. 1 p. 1 lit. f DSGVO to answer your inquiry.

In addition, you can decide for yourself whether you would like to provide us with further information. This information is provided voluntarily and is not mandatory for contacting us. We process your voluntary information on the basis of your consent in accordance with Art. 6 Para. 1 S. 1 lit. a DSGVO.

Your data will only be processed to answer your request. We will delete your data if it is no longer required and there are no legal storage obligations to the contrary.

In order to protect our web forms from automated requests, we use a so-called Captcha from a third-party provider (Google). As part of the captcha function, all user input and mouse movements that you make on our website are automatically recorded (regardless of whether you call up pages that contain web forms or not). The data collected in this way is used to assess whether the entries originate from a human or an automated program.

Since the function is provided by a third-party provider, the display of the captcha leads to content from the third-party provider being reloaded. Through this, the third-party provider receives information that you have accessed our site as well as the technically necessary usage data in this context. The third party provider also receives your IP address, which is technically necessary to retrieve the content. We have no influence on the further data processing by the third-party provider. 

The data processing is based on your consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO or § 15 para. 3 p. 1 TMG. You can withdraw your consent in whole or in part at any time without giving reasons and without adverse consequences by sending a message to datenschutz@goreha.com.  

Please note that the use of captchas may result in your data being processed outside the EU/EEA. In some countries, there is a risk that authorities may access the data for security and monitoring purposes without informing you or allowing you to seek redress. If we use providers in insecure third countries and you consent, the transfer to an insecure third country will be based on Article 49(1)(a) of the GDPR.  

7. User accounts

As part of creating a user account for our platform, you will be asked to enter a number of personal data (in particular, title, first name, last name, street, postcode, city, telephone, email address and possibly other data that we ask for as part of the registration process). You can always view, change and delete the data under the heading "Patient account". It is also possible for you to delete the entire user account at any time.

We collect, store and process your data mentioned in this section for the entire processing of your use of our services, including any subsequent warranties. The legal basis is Art. 6 para. 1 p. 1 lit. b) and f) DS-GVO. The legitimate interest is the provision of the user accounts.

The data collected with consent will only be processed or used insofar as this is necessary for the use of our services. The personal data will not be transmitted to third parties except to the supervising medical institution and the doctors and therapists employed there. Personal data is stored and processed exclusively on servers in Germany. All doctors and therapists are subject to professional confidentiality. We oblige our employees to maintain confidentiality. Data transmissions are protected against access by third parties by means of encryption in accordance with the recognised state of the art.

8. Newsletter

We inform existing customers about further developments and new products as well as offers through our email newsletter. 

You can object to the use of your e-mail address for sending the newsletter at any time via a link in the newsletter. 

The legal basis is Art. 6 para. 1 p. 1 lit. f) DS-GVO. The legitimate interest follows from the information of the customers.

9. Was sind Cookies?

Cookies are small text files that are stored on your terminal device by the browser used when you call up our website. Individual services of a website can "recognize" in this way and "remember" which settings you have made. On the one hand, this serves the user-friendliness of our website (e.g. storage of login data). On the other hand, cookies are used to collect statistical data on website usage and to use the data thus obtained for analysis and advertising purposes. 

Some cookies are automatically deleted from your terminal device as soon as you leave the website again (so-called session cookie). Other cookies are stored for a certain period of time, which does not exceed two years (persistent cookies). In addition, we also use so-called third-party cookies, which are managed by third parties in order to offer certain services. 

You can influence the use of cookies. Most browsers have an option to restrict or completely prevent the storage of cookies. However, we must point out that the use and especially the comfort of use is limited without cookies.

We use the support tool Intercom from Intercom, Inc. (INTERCOM, INC., 55 2nd St, 4th Fl., San Francisco, CA 94105 USA). It is a communication platform for direct interaction via chat between website visitors and us. If questions arise, we can use this communication option to provide you with prompt assistance. Your details (browser type/version, operating system used, time of server entry, first name, last name, telephone number, e-mail address, company name) are collected in this context during registration on the portal and transmitted to Intercom securely via SSL encryption. 

The legal basis for this is Art. 6 para. 1 p. 1 lit. b) DSGVO. This data is stored by Intercom until we delete it, after a maximum of 8 months.

We use Cloudflare on this website from Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) to make our website faster and more secure. In doing so, Cloudflare uses cookies and processes user data. Cloudflare, Inc. is an American company that provides a content delivery network and various security services. These services are located between the user and our hosting provider and act as a reverse proxy for websites. 

Cloudflare generally forwards only those data that are controlled by website operators. The content is therefore not determined by Cloudflare, but always by the website operator itself. For security reasons, Cloudflare also uses a cookie. The cookie (__cfduid) is used to identify individual users behind a shared IP address and apply security settings for each individual user. This cookie becomes very useful, for example, if you are using our website from a location where there are a number of infected computers. However, if your computer is trusted, we will be able to tell from the cookie.

Cloudflare keeps data logs only as long as necessary and this data is also deleted within 24 hours in most cases. Cloudflare also does not store any personal data, such as your IP address. However, there is information that Cloudflare stores indefinitely as part of its permanent logs in order to improve the overall performance of Cloudflare Resolver and to identify any security risks. You can read about exactly what permanent logs are stored at https://www.cloudflare.com/application/privacypolicy/. All data Cloudflare collects (temporary or permanent) is scrubbed of any personally identifiable information. All permanent logs are also anonymized by Cloudflare.

10. Use of the Caspar therapy portal

Medical facilities and patients can set up accounts for the use of the therapy portal Caspar (hereinafter "Caspar"). The details of this are regulated in the respective contracts and GTCs concluded with the persons concerned. When using Caspar, personal health data about patients will be processed only with their prior consent. This data is transferred to Caspar by the medical institution or by the patients themselves. Data is only exchanged between patients and the medical facilities providing care. They are not passed on to third parties.

We allow patients to connect and import your activity and health data from various sources (such as mobile phones, smartwatches, fitness trackers and other digital health services like Apple Health Kit or Google Fit). By connecting your account from another provider to Caspar, you explicitly authorize us to transfer your data from that provider to your Caspar account (the legal basis for this request is Article 20 EU GDPR). The collection of this information is voluntary and not required for the use of Caspar. The Caspar app, on the other hand, does not transfer any data to these providers.

For this purpose, we integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Bismarckstraße 10-12, 10625 Berlin, Germany, as part of an order data processing agreement. mHealth Pioneers GmbH does not have access to any other data stored with Caspar.  

The data will be stored as long as they are necessary for the use of CASPAR. Subsequently, the data will be deleted, unless there are other legal rights or obligations. A continuous use of Caspar is assumed until the end of the contract period.

The legal basis for the processing is consent in accordance with Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. Art. 9 para. 2 lit. a) DS-GVO. The declarations of consent can be retrieved in the respective account. Personal data of the therapists and non-health-related data of the patients are processed for the purpose of contract performance on the basis of Art. 6 (1) S. 1 lit. b) DS-GVO.

11. Use of tracking and analysis tools

We use the tracking and analysis tool Firebase, which uses information about your smartphone. 

This includes, in particular, performance monitoring and error logs. We also need data from your end device to measure the functionality of the app. This allows us to record error and crash reports about the app in a timely manner and thus take necessary measures to ensure the app's functionality.

The legal basis for the collection and processing is your consent pursuant to Art. 6 (1) p. 1 lit. a) DS-GVO. You can revoke this at any time with effect for the future. However, this does not affect the legality of the storage carried out on the basis of the consent until the revocation. You can send your revocation at any time to CASPAR Data Protection at Datenschutz@goreha.com. 

If you have consented, we use the tool Firebase from the provider Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043 ("Google")) to evaluate the use of our app. 

Information about your smartphone and operating system, e.g. your app build number, app version, device manufacturer and device model, is transmitted to Firebase. 

Relevant transfers to Firebase are based on standard contractual clauses; these may continue to be a valid legal mechanism for transfers of data under the GDPR following the ECJ ruling on the EU-US Privacy Shield (16.07.2020). Details on data protection can be found here

Your data is stored until it is no longer required for the purpose for which it was collected. Firebase data is deleted after 180 days. 

The functions of the Datadog service are integrated on our platform. Datadog is a monitoring system of the American company Datadog, Inc., 620 8th Ave, 45th Floor, New York, NY 10018 USA. The system notifies our development team about possible errors in the application. For this purpose, log data is transmitted to Datadog, Inc. Insofar as the information thus transmitted also includes personal data, the processing is carried out in accordance with Art. 6 Para. 1 lit. f DSGVO on the basis of our legitimate interest in an efficient error cause analysis to improve the reliability and functionality of our Internet presence. Further information on the collection and use of data by Datadog, Inc. can be found at: www.datadoghq.com/legal/privacy.

12. Processor, infrastructure and server functionality tools

In the area of communication, we have integrated SendBird as a service provider. We use SendBird to handle all communication functions between medical service providers and patients within the platform. Further information on the handling of user data at SendBird can be found in the privacy policy: https://sendbird.com/privacy 

As a further communication tool, we use Nexmo with the data protection contact "Vonage Limited", 15 Bonhill Street, 3rd Floor London, England EC2A 4DN, United Kingdom. Nexmo offers a communication solution for the provision of end-to-end communication video, mobile applications and collaboration tools. This also includes various analytics capabilities. For more information, please see Nexmo's and Vonage's privacy policy: https://www.vonage.com/privacy-policy 

When hosting our software, we rely on the services of Amazon Web Services (AWS) in Frankfurt (https://aws.amazon.com/de/compliance/gdpr-center/). The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/

For more information about security and privacy at AWS, please visit https://aws.amazon.com/de/data-protection/.

The current privacy policy of Amazon Web Services can be found at: https://aws.amazon.com/de/privacy/. 

We use the services of Mailgun (Mailgun Technologies Inc., 535 Mission St. 14th Floor San Francisco, CA 94105, USA) to automatically send emails to our customers. For more information about Mailgun's privacy policy, please visit: https://www.mailgun.com/privacy-policy.    

Our app uses the error analysis service Rollbar from Rollbar Inc. (Rollbar, 51 Federal Street, San Francisco, CA 94107, USA). 

This service reports technical errors that occur in the app to enable us to correct these errors immediately. The data is transferred after an error has been detected.

The purpose of the processing is the technical monitoring of our app and the documentation of error messages in order to ensure and optimize the technical stability of the app to enable our visitors to use our app as error-free as possible. The data transfer is only for troubleshooting purposes, there is no use for advertising purposes. You can find further data protection information from Rollbar at https://rollbar.com/privacy and at https://docs.rollbar.com/docs/data-processing-agreement.

13. Data processing in the USA

At present, we still occasionally use service providers (order processors) who have a registered office or subcontractor in the USA and cannot exclude the possibility that their pseudonymised data is accessed from the USA. So far, we have no knowledge that the authorities from the USA actually have access. According to the case law of the ECJ (judgment of 16.07.2020, Ref.: C-311/18 ("Schrems II")), there is no adequate level of data protection in the USA. Furthermore, government surveillance measures may occur in the USA, where no sufficient legal protection can be claimed against these measures. Data processing in the USA in connection with the use of Caspar is based on my consent within the meaning of Article 49 (1) a) DSGVO. This consent can be revoked at any time with effect for the future. 

14. Push messages

We also use the SendBird service to send you push messages or so-called in-app messages to your end device. If you use our app via a push-enabled end device, you can consent to receiving "push notifications". In doing so, your terminal device will be assigned a pseudonymous Device Token ID, a unique connection number generated from the Device ID, which we can use to address the push notifications or in-app messages to you. You can change your consent to be notified by push messages at any time in the settings in the app.

15. Use of data for research purposes

You have the option to provide your data for medical research. The sole purpose of medical research is to improve the detection, treatment and prevention of disease. Your data would be used for many different research purposes in the spirit of broad public benefit. At this stage, not all future medical research content can be described. Therefore, your data may be used for research questions that cannot be foreseen today. For this purpose, your patient data shall be stored for 10 years from the time of your consent. 

Your patient data may be made available by universities, research institutes and research companies upon request for medical research purposes. Your data may only be used by the recipient for the predetermined and requested research purpose and may not be passed on for other purposes. In order to protect your data in the best possible way, the data will only be passed on pseudonymously in such a way that the data can no longer be assigned to your person or only with disproportionately great effort by the recipient. We would like to draw your attention to the fact that with every collection, storage and transmission of data within the framework of research projects with patient data, there is a residual risk of traceability to your person through the inclusion of further information, e.g. from the Internet or social networks. This is particularly the case if you publish genetic or other health data on the internet, e.g. for genealogical research.

Your consent to the disclosure of your data for research purposes is voluntary. You may revoke your consent to the scientific use of your data, in whole or in part, at any time without giving reasons and without adverse consequences by sending a message to datenschutz@goreha.com.

16. your rights

You have the following rights in relation to us in respect of personal data relating to you:

  • Right of access,
  • Right of rectification or erasure,
  • Right to revoke consent given
  • Right to restrict processing,
  • Right to object to processing,
  • Right to data portability.

A revocation of a declaration of consent affects the permissibility of processing your personal data after you have expressed it to us. Use of the corresponding services is then no longer possible.

If you wish to exercise your aforementioned rights, you can contact Datenschutz@goreha.com at any time.

You also have the right to complain to a data protection supervisory authority about our processing of your personal data.

17. Duration of data retention

In addition to the other clauses of this privacy policy, the following applies:

We only store personal data for as long as is necessary to fulfil the respective purposes. Further processing may take place in individual cases if this is legally permissible, for example for the assertion, exercise or defence of legal claims, or if there is an obligation to retain the data.

18. Encrypted data transmission

Your personal data will be transmitted in encrypted form to prevent misuse by third parties, whereby we use state-of-the-art encryption for this purpose (data transmission via Transport Layer Security 1.2.). This is a common security technology that encrypts your personal data, including login data and your health data during transport. Please note that no one hundred percent security can be guaranteed for data transfer via the Internet. 

19. Questions to the Data Protection Officer

If you have any questions about data protection, please write us an e-mail or contact our data protection officer directly:

Contact details:
Mr. Gregor Klar
klar@brainosphere.de

Karoline Scherlipp

Your contact person
Accountant

+ 49 (0) 30 555 7829 19
hello@caspar-health.com