This privacy policy explains how personal data is processed on the website (hereinafter referred to as the "website") and on the Caspar Health app (hereinafter referred to as the "Caspar software"). The app can be used both via the installed Caspar Health app and directly via the web browser. The therapy portal (hereinafter "CASPAR") is operated on the app.

The object and purpose of the processing of data is the use of CASPRAR for communication between patients, doctors and therapists as well as for online care, implementation and continuation of medical services/therapy measures via CASPAR.

Person responsible

GOREHA GmbH, Neue Schönhauser Str. 20, 10178 Berlin (hereinafter referred to as "we" or "us") is the controller pursuant to Art. 4 (7) of the General Data Protection Regulation (GDPR) for all personal data collected on the platform, unless otherwise stated in this privacy policy.

Personal data

Personal data within the meaning of Art. 4 No. 1 GDPR are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. Special categories of personal data include, for example, data relating to your physical health, so-called health data within the meaning of Art. 4 No. 15 GDPR.

Processing when visiting the website

Our website does not use cookies. 

When you visit our website, we collect personal data that your browser transmits to our server. We collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security.

These are: 

  • The IP address of the user (only for 24 hours)
  • Name of the website or file accessed 
  • Date and time of access
  • Amount of data transferred
  • Notification of successful retrieval
  • Browser type and version
  • Operating system of the user
  • End device used by the user, including MAC address
  • Referrer URL (the previously visited page) (24 hours)
  • Operating system and its interface
  • Language and version of the browser software

This data is not merged with other personal data that you actively provide on the website.

The server log files with the above-mentioned data are automatically deleted after seven days. We reserve the right to store the server log files for longer if there are facts that suggest the assumption of unauthorized access (such as an attempt at hacking or a so-called DOS attack). The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest lies in the provision of the website and its proper operation. 

User Health Connect data is not going to be sold to any third party.

What is an IP address?

Every device (e.g. smartphone, tablet, PC) that is connected to the Internet is assigned an IP address. Which IP address this is depends on the Internet access via which your device is currently connected to the Internet. It may be the IP address assigned to you by your Internet provider, for example if you are connected to the Internet at home via your Wi-Fi. However, it can also be an IP address assigned to you by your mobile phone provider or the IP address of a provider of a public or private Wi-Fi or other Internet access. In its currently most common form (IPv4), the IP address consists of four blocks of numbers separated by dots. As a private user, you will not usually use a constant IP address, as this will only be assigned to you temporarily by your provider (so-called "dynamic IP address"). In the case of a permanently assigned IP address (so-called "static IP address"), it is in principle possible to clearly assign the user data via this feature. Except for the purpose of tracking unauthorized access to our website, we do not use this data for personal purposes, but only evaluate on an anonymous basis which of our websites are favored, how many accesses are made daily and the like.

Website contact form 

You have the option of contacting us via our contact form. To use our contact form, we first need the data marked as mandatory fields from you.

We use this data on the basis of Art. 6 para. 1 sentence 1 lit. a) and b) or Art. 9 para. 2 GDPR to answer your request.

In addition, you can decide for yourself whether you would like to provide us with further information. This information is provided voluntarily and is not mandatory for contacting us. We process your voluntary information on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

Your data will only be processed to answer your request. We will delete your data if it is no longer required and there are no legal obligations to retain it.


We use our e-mail newsletter to inform our customers and people who have expressed an interest in CASPAR about further developments and new products and offers. This is a voluntary subscription to the newsletter. The legal basis for sending the newsletter to our customers is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest arises from our interest in direct advertising. Other interested persons receive the newsletter on the basis of their consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

You can object to the use of your e-mail address for sending the newsletter at any time via a link in the respective newsletter or revoke your consent in this way. You can also send an e-mail to

Use of the Caspar therapy portal

Medical facilities and patients can set up accounts to use the CASPAR therapy portal. When creating a user account for our Caspar software, you will be asked to enter a range of personal data (in particular title, first name, surname, street, zip code, city, country of residence, telephone, e-mail address and possibly other data that we request during the registration process). However, only the country of residence is mandatory. You can view and change the data at any time under the heading "Patient account". If you have provided an e-mail address, you will receive an overview of your current therapy activities at regular intervals. You can unsubscribe from this at any time using the unsubscribe link. We collect, store and process your data mentioned in this section for the entire processing of your use of CASPAR, including any subsequent warranties. The details of this are set out in the respective contracts and terms and conditions concluded with the persons concerned. When using CASPAR, personal health data about patients will only be processed with their prior consent. This data is transferred to CASPAR by the medical facility or by the patients themselves. The data is only exchanged between the patient and the medical facility providing care and the doctors employed there. They are not passed on to third parties.

The data is stored for as long as it is required for the use of CASPAR. The data will then be deleted, unless there are legal rights or obligations to the contrary. It is assumed that CASPAR will continue to be used until the end of the respective contract term.

The legal basis for the processing is consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR. Art. 9 para. 2 lit. a) GDPR.

The declarations of consent can be accessed at any time in the respective account under the heading "Legal". Personal data of therapists and non-health-related data of patients are processed for the purpose of performing the contract on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR.

Personal data is stored and processed exclusively on servers in Germany. All doctors and therapists are subject to professional confidentiality. We oblige our employees to maintain confidentiality in accordance with the GDPR. Data transmissions are protected against access by third parties by encryption in accordance with the recognized state of the art.

Webinars, surveys

While using the CASPAR therapy portal, it is possible to take part in webinars. These are offered synchronously with the aftercare therapy program and represent a live expansion in the area of knowledge and well-being and are therefore also part of the therapy. You will be informed about this via e-mail. Participation is voluntary and is not a prerequisite for using CASPAR or for successfully completing therapy. The legal basis for this is Art. 6 para. 1 sentence 1 lit. a) and b) or Art. 9 para. 2 lit. a) ) GDPR. Each email contains an unsubscribe link.

 While using CASPAR, it is possible to take part in surveys to improve digital therapy with CASPAR and the therapy portal itself. Participation is voluntary and is not a prerequisite for using CASPAR or for successfully completing therapy. If a survey is conducted using pseudonymized data, the legal basis for this is Art. 6 para. 1 sentence 1 lit. a) or Art. 9 para. 2 lit. a) GDPR. The transmission takes place on the basis of Art. 45 para. 3 GDPR.

Data portability Art. 20 GDPR

We allow patients to voluntarily connect and import their activity and health data from various sources (such as cell phones, smartwatches, fitness trackers and other digital health services such as Apple Health Kit or Google Fit). By connecting your account from another provider to CASPAR, you explicitly instruct us to transfer your data from this provider to your CASPAR account (legal basis for this claim is Art. 20 para. 1 GDPR). The collection of this information is voluntary and not required for the use of CASPAR. CASPAR does not transfer any data to these providers. We integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Bismarckstraße 10-12, 10625 Berlin, Germany, as part of an order processing contract. mHealth Pioneers GmbH has no access to other data stored by CASPAR.


Data processing abroad

Any transfer of data to a third country takes place in compliance with the applicable data protection law. Only to third countries for which an adequacy decision by the European Commission exists or, in the case of the USA, if an effective data privacy framework exists and the provider is listed under this agreement.

Goreha GmbH is ISO 27001 certified.

Use of tracking and analysis tools

The functions of a monitoring system are integrated into our Caspar software. The system notifies our development team of possible errors in the application. Log data is transmitted to the service for this purpose. If personal data is also included in the information transmitted in this way, the processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in an efficient root cause analysis to improve the reliability and functionality of the Caspar software. In the event that sensitive personal data is also included in the transmitted information, the transmission takes place on the basis of Art. 9 para. 2 lit. a) GDPR in the form of pseudonymized metadata.

The transfer of data to the service can be based on the adequacy decision within the meaning of Art. 45 GDPR.

Push messages

We offer you the option of receiving push messages or so-called in-app messages on your device. If you use our app via a push-enabled device, you can consent to receiving "push notifications". Your device will be assigned a pseudonymized device token ID, a unique connection number generated from the device ID, which we can use to address the push messages or in-app messages to you.

Your rights

You have the following rights with respect to us regarding personal data concerning you:

Right to information (Art. 15 GDPR),

  • Right to rectification (Art. 16 GDPR),
  • Right to erasure (Art. 17 GDPR),
  • Right to restriction of processing (Art. 18 GDPR),
  • Right to data portability (Art. 20 GDPR),
  • Right to object to processing (Art. 21 GDPR).

You have the right to withdraw your consent at any time (Art. 7 (3) GDPR).  The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent affects the permissibility of future processing of your personal data. Use of the corresponding services is no longer possible after withdrawal. 

If you wish to exercise your aforementioned rights, you can contact at any time. 

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

Duration of data retention and deletion (deletion concept)

If the patient gives their consent, their (sensitive) personal data will be processed until they withdraw their consent with effect for the future and the statutory retention periods have expired or the therapy has ended and the statutory retention periods have expired. The statutory retention and deletion periods apply. The following are generally relevant:

  • § Section 238 (2) of the German Commercial Code (HGB) for up to 10 years with regard to billing documents of Goreha GmbH vis-à-vis the medical facility; isb. module overviews and KTL reports of the individual users in archived and pseudonymized form.
  • § Section 147 para. 1 no. 2, para. 2 of the German Fiscal Code (AO) for up to 6 years with regard to billing documents of Goreha GmbH vis-à-vis the medical facility; isb. module overviews and KTL reports of individual users in archived and pseudonymized form.
  • § Section 14 of the German Value Added Tax Act (UStG) for up to 6 years with regard to billing documents of Goreha GmbH vis-à-vis the medical facility; isb. module overviews and KTL reports of the individual users in archived and pseudonymized form.
  • Art. 17 para. 3 lit. e) GDPR in connection with Assertion, exercise or defence of legal claims of Goreha GmbH against the medical facility and patients for up to 5 years, also in archived and pseudonymized form.
  • § Section 10 (3) of the Model Professional Code for Doctors (MBO-Ä) for 10 years for the purpose of Goreha GmbH doctors' and therapists' own treatment documentation in archived form.

The start of the period is based on the provisions of the applicable retention periods. If data is deleted as part of the regular deletion process after the retention periods have expired, this is done according to a defined process. Goreha GmbH has corresponding instructions that specify the employee responsible for the regular review and technical implementation of the deletion, the data categories, the processors concerned, the databases and tables affected, the protection class and the storage location (so-called deletion concept). As part of the regular erasure process, the respective processors are instructed to erase the marked data. These ensure deletion within 90-180 days. As an alternative to the deletion of their data, patients can give their consent to the anonymization of their data in the Caspar Health app for the purpose of deletion (primary purpose). The legal basis for this is Art. 9 para. 2 lit. a) GDPR or Art. 6 para. 1 sentence 1 a) or f) GDPR. Anonymization is currently based on the practice guidelines and the basic rules for anonymizing personal data of the Data Protection Foundation. The patient is informed that the anonymized data may then be used by Goreha GmbH to improve digital aftercare with Caspar Health (secondary purpose). If the patient withdraws their consent to the processing of their data with effect for the future, with the consequence that further use of the Caspar Health app for digital aftercare may no longer be possible, they will be informed of this within a reasonable period of time. Their data will then be checked in accordance with the deletion concept described above and deleted, provided there are no other retention periods to the contrary (in particular billing to the medical institution). In the event of uninstallation, it must first be clarified whether digital aftercare with Caspar Health is to be terminated at the same time. Without a request for deletion of the user account, uninstalling the app per se does not lead to the deletion of the data. The patient is informed and informed in detail that they must consent to the processing of their personal data in order to be able to use Caspar Health. They are informed that they can withdraw their consent at any time, if necessary without being able to continue using Caspar Health, and that they can restrict the processing of their data. The patient can delete their account independently in their user account. This will result in the account being blocked, but the data associated with the account will be retained for as long as the statutory retention periods stipulate. If the user account is deleted, the patient will also be informed of the possibility of a data transfer. Personal data stored by the medical institution itself is exclusively subject to its deletion concept. Claims for revocation, deletion or restriction of data processing, provided that the Caspar Health App does not offer a function, should be sent to:

Encrypted data transmission

Your personal data is transmitted in encrypted form to prevent misuse by third parties, whereby we use state-of-the-art encryption (data transmission via Transport Layer Security 1.2.). This is a common security technology that encrypts your personal data, including login data and your sensitive personal data during transportation. Please note that data transfer via the Internet cannot be guaranteed to be 100% secure.

Online presence

We maintain online presences within social networks and on our website in order to communicate with the customers, interested parties and users active there and to inform them about our services. When accessing the respective networks and websites, the terms and conditions and data processing guidelines of the respective operators apply. Unless otherwise stated in our privacy policy, we process users' data if they communicate with us within the social networks and website, e.g. send us messages. Social networks / platforms used by us: Instagram, LinkedIn, Facebook.

The controller for data processing at Instagram and Facebook is Meta Platforms Ireland Limited. If users are based in the EU or the EEA, LinkedIn Ireland is responsible for data processing at LinkedIn, otherwise LinkedIn Corporation (USA).

Questions for the data protection officer

If you have any questions about data protection, please send us an e-mail or contact our data protection officer directly.

Contact details:

Your contact person Elisabeth Hegele, Office Management, is happy to help!

+ 49 (0) 30 555 7829 19