Purpose | What data? | Processor |
---|---|---|
|
📨 Contact and medical history data | AWS, IMEDIAPP SA (Batch.com), BroadSoft Germany GmbH |
|
🤸♂️ Exercise history, questionnaires, training settings | AWS, IMEDIAPP SA (Batch.com), Google |
|
📟 Technical device information | AWS, IMEDIAPP SA (Batch.com) |
|
🎟 activation code, pseudonymous payment nonce | Noventi |
|
☎️ Support requests | Zammad, mailbox.org, BroadSoft Germany GmbH |
|
📨 prescription details, contact details | Zammad, mailbox.org, Deutsche Post AG |
|
👤 User and application data | - |
|
👤 User and application data | - |
|
👤 User and application data | Bayoomed |
This presentation provides a simplified overview of the data processing operations at Kaia Health. It is not legally binding. The legally binding information is available in the flow text of the privacy policy for our Apps.
This privacy policy explains how We, Kaia Health Software GmbH (hereinafter: "Kaia", "We", "Us", etc.) process your personal data (hereinafter: "Data") when you use the digital health apps (hereinafter: "Apps") provided by Us and the associated features. The protection of your Data in the context of the use of Our Apps is important to Us. We therefore collect and process your Data only in accordance with applicable data protection laws, in particular the General Data Protection Regulation (EU) 2016/679 (hereinafter: "GDPR").
This privacy policy applies to the following Apps:
Kaia Back Pain is intended for multidisciplinary rehabilitation of non-specific back pain (M54.-) that has persisted for longer than 4 weeks or following previous episodes of non-specific back pain. You can use Kaia Back Pain with or without current or past supervision from medical professionals and perform the exercises on your own. However, you need to have undergone prior medical examination to exclude causes for back pain that would require specific treatment and to make sure that there are no contraindications to using Kaia Back Pain.
Kaia COPD is a medical product for self-use by patients based on the concept of pneumological rehabilitation. Every day, users receive different content on physical activities as well as active ways to cope with the disease COPD. Kaia supports users over 18 years of age diagnosed with COPD (J44.-) provided that contraindications and other causes requiring special therapy have been excluded. Kaia cannot make a diagnosis and does not replace medical advice.
The data protection controller within the meaning of Article 4 (7) GDPR is:
kaia health software GmbH,
Herzog-Wilhelm-Straße 26,
80331 Munich, Germany
E-Mail: compliance@kaiahealth.com
You can contact Our Data Protection Officer as follows:
PROLIANCE GmbH / www.datenschutzexperte.de
Data Protection Officer
Leopoldstr. 21
80802 Munich, Germany
E-Mail: datenschutzbeauftragter@datenschutzexperte.de
All data protection terms have the same meaning as defined in the GDPR.
We collect and process Data from you which you provide to Us when using the App. This involves, in particular:
Intended use of the App (cf. clause 5. a. below), including:
User account registration and creation in the App,
Use of the App and the associated features,
Collection of device data for the technical provision of the App,
Billing for Our services in connection with the use of the App,
Communication in connection with support requests.
Provision of evidence of positive health care effects within the context of a trial according to Sec. 139e para. 4 of the German Social Code (Sozialgesetzbuch, SGB), Book V (cf. clause 5. b. below).
Improvement and further development of the App (cf. clause 5. c. below).
Compliance with statutory obligations and other legally permissible data processing (cf. clauses 5. d. and e. below).
For a detailed description on how We process your Data, please refer to the following clause 5. of this privacy policy.
In the following, We will describe how We process your Data in connection with the provision and use of the App, including (i) the categories of Data concerned, (ii) the purposes of data processing, (iii) the respective legal bases on which We process your Data, as well as (iv) the storage period for your Data:
The Data provided by you in connection with the intended use of the App are processed by Us as follows:
Using the App requires prior registration and the creation of a user account after downloading the App from the App store.
In the following, We will describe how We process your Data in connection with registration and creation of a user account in the App:
Categories of data
In connection with the registration and creation of a user account in the App, We collect the following Data from you (hereinafter: "User Data"):
First name,
Gender,
Email-Address,
Telephone number,
Password,
Activation code,
Health insurance und
Answers to medical history questions.
Purposes of data processing
We process your User Data to:
Create a personal user account for you;
Determine whether the use of the App is medically indicated for you;
To check whether your Data is complete, including telephone or electronic contact for any queries,
If necessary, the processing of data for queries with you by telephone or email,
Provide you with the App and associated features; and
Bill you for Our services.
Legal basis of data processing
The legal basis for processing your User Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).
Storage period
We store your User Data for the duration of the contract period and, where statutory storage periods exist that go beyond this (e.g. in the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung) or for regulatory reasons), for the duration of the statutory storage period.
In the following, We will describe how We process your Data in connection with using the App and the associated features:
Categories of data
In connection with using the App and the associated features, We collect the following Data from you (hereinafter: "Application Data"):
Profile and status data,
Therapy units completed,
Enrolled courses,
Medical questionnaires,
Therapy development metrics,
E-mail address,
Push tokens, and
Training weekdays.
Purposes of data processing
We process your Application Data to provide the App and associated features, in particular:
Provision and reminder to do your therapy units,
Provision of information on your therapy units by e-mail or push notification as well as a PDF export for the user and the attending physician,
Visualization of the progress of your therapy,
Adaptation of your personal therapy units,
Reminder of health check appointments to ensure the App is used safely and as intended, and
Provision of information, e.g. on security-relevant updates and events.
Legal basis of data processing
The legal basis for processing your Application Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).
Storage period
We store your Application Data for as long as required for the provision and use of the App and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.
In the following, We will describe how We process your Data when collecting device data for the technical provision of the App:
Categories of data
In connection with using the App, Kaia's server automatically collects the following Data from you (hereinafter: "Technical Data"):
App and operating system version, and
Anonymized IP address (last octet(s) masked).
Purposes of data processing
We process your Technical Data to:
Enable an uninterrupted and safe operation of the App, and
Obtain information about security-relevant events as well as to provide updates.
Legal basis of data processing
The legal basis for processing your Technical Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).
Storage period
We store your Technical Data for as long as required for the provision and use of the App and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.
In the following, We will describe how We process your Data to bill Our services provided in connection with the App:
Categories of data
In connection with the billing of Our services, We collect the following Data from you (hereinafter: "Billing Data"):
Entered activation code or
Pseudonymous payment nonce provided by our payment processor.
Purposes of data processing
We process your billing data to bill you for our services in connection with the use of the app and forward this to the responsible health insurance company for billing purposes if the service is reimbursed by your health insurance company.
Legal basis of data processing
The legal basis for the processing of your billing data is your consent to the processing of your data for the intended use of the app (Art. 6 Para. 1 lit. a) and Art. 9 Para. 2 lit. a) GDPR).
Storage period
We store your billing data for as long as it is necessary to bill our services and, if there are statutory retention periods beyond this (e.g. in the Commercial Code, the Tax Code or for regulatory reasons), for the duration of the legally required retention period.
In the following, We will describe how We process your Data for communication in connection with support requests:
Categories of data
When you contact Us because of a support request, We collect the Data you provide in connection with your support request (e.g. by phone, contact form or e-mail). Mandatory fields are marked as such, as in these cases We absolutely need the Data to process your support request. The respective input form indicates which Data are collected.
Purposes of data processing
We process these Data for the purpose of communicating with you, e.g. to receive error messages and answer questions as part of your support request.
Legal basis of data processing
The legal basis of processing your Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).
Storage period
We store your Data for as long as required for processing your support request and, where statutory storage periods exist beyond this (e.g. in the German Commercial Code, the German Fiscal Code, or for regulatory reasons), for the duration of the statutory storage period.
We use your Data to provide evidence of positive health care effects within the context of a trial according to Sec. 139e para. 4 SGB V.
This means that We have to provide the German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte) with evidence in form of a comparative study showing that the App has positive health care effects and, for this purpose, We need to examine and evaluate the results of the therapies and record them in an outcome study.
In the following, We will describe how We process your Data in connection with the demonstration of positive health care effects:
In connection with providing evidence of positive health care effects, We collect your Data provided in the context of the intended use of the App, including User, Application and Technical Data (cf. clause 5. a. above).
We process your Data for the purpose of providing evidence of positive health care effects by analyzing and evaluating the development and progress of the respective therapies. We then anonymize the results on the basis of aggregated data, summarize them in a report and send it to the competent regulatory and supervisory authorities. As your Data will only be passed on in anonymous form, no information identifying you is communicated.
The legal basis for processing your Data is your consent to the processing of your Data for the intended use of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).
Please note that this data processing cannot be separated from the data processing for the intended use of the App (cf. clause 5. a. above), as the corresponding testing and verification is necessary for the provision of the App.
We store your Data for as long as required for providing evidence of positive health care effects and, where statutory storage periods exist beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.
If you have given Us your (optional) consent to do so, We process your Data to improve and further develop the App, e.g. for the continuous safeguarding and optimization of the technical functionality and user-friendliness of the App as well as the associated features.
In the following, We will describe how We process your Data to improve and further develop the App:
In connection with the improvement and further development of the App, We process the Data provided by you in the context of the intended use of the App, including User, Application and Technical Data (cf. clause 5. a. above).
In addition, We process the following Data of you:
Information on the hardware used,
Information on when which features and input masks were called up and how they were used, and
Information about the prescriber optional query in the registration process (first and last name, zip code, city).
We process these Data for the purpose of improving and further developing the App, including, without limitation:
To analyze and evaluate your user behavior in the App (e.g. to determine the user acceptance of certain new features etc.),
To analyze and evaluate developments and progress of the respective therapies,
To support the activation of prescriptions that have already been prescribed and to improve user-friendliness, and
To analyze and evaluate your Data in connection with internal studies to optimize therapy approaches.
When processing your Data to improve and further develop the App, We ensure that, wherever possible, your Data are anonymized or pseudonymized at the earliest possible stage.
The legal basis for processing your Data is your consent to the processing of your Data for the improvement and further development of the App given during registration or in the App's settings menu (Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR).
We store your Data for as long as required for the improvement and further development of the App and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.
In the following, We will describe how We process your Data in order to comply with statutory obligations:
In order to comply with applicable statutory obligations, We process the Data provided by you in the context of the intended use of the App, including Technical and Billing Data (cf. clause 5. a. above).
We process these Data for the purpose of compliance with applicable statutory obligations, in particular, Our obligations under medical device law, e.g. to carry out conformity assessment procedures and to post-market monitor the App.
In order to comply with Our statutory obligations, We may also share your Data with competent regulatory and supervisory authorities; however, We will share your Data only in pseudonymous form, so no information directly identifying you is shared.
The legal basis for processing your Data for compliance with Our statutory obligations is, as applicable, Art. 6 para. 1 lit. c) and e) GDPR in conjunction with the respective special legal provision of Art. 9 para. 2 lit. i) and j) GDPR.
We store your Data for as long as required for the compliance with Our statutory obligations and, where statutory storage periods exist that go beyond this (e.g. for regulatory reasons), for the duration of the statutory storage period.
To the extent permitted by law, We reserve the right to process your Data for other processing purposes. In this case and to the extent required by law, We will inform you again about this further data processing and obtain your consent.
Your Data may e.g. also be processed by Us in other ways and may also be disclosed to third parties if We are legally obligated to do so - e.g. by court order (Art. 6 para. 1 lit. c) GDPR) or if this is required to support criminal or legal inquiries or other legal investigations or proceedings in Germany or in other countries or to safeguard legitimate interests (Art. 6 para. 1 lit. f) GDPR, as the case may be, in conjunction with the respective special legal provision of Art. 9 para. 2 GDPR), e.g. for the provision of services or for the enforcement and defense of legal claims.
At the end of this document you will find the wording of your declaration of consent to the processing of your Data (i) for the intended use of the App (required consent) as well as (ii) for the improvement and further development of the App (optional consent).
Please note that the use the App requires your prior consent to the processing of your Data for the intended use of the App (for more information on data processing, cf. clause 5. a. above). This also includes the data processing to provide evidence of positive health care effects in the context of a trial according to Sec. 139e para. 4 SGB V (for further information on data processing, cf. clause 5. b. above).
You have the option to withdraw your consent given during registration or in the settings menu in the App to the processing of your Data (i) for the intended use of the App and also, if given by you, (ii) for the improvement and further development of the App at any time in the settings menu in the App for the future, by selecting the respective item in the settings menu.
If you do not give your consent to the processing of your Data for the intended use of the App or if you subsequently withdraw it, Kaia will of course not (no longer) be able to provide you with the functions of the App. In this case, We will delete your account.
In accordance with the data protection law principle of "privacy by default", the App allows for the individual adaptation of specific features in some cases. All features offered within this App are generally part of the intended use and are required for an optimal use of the App in its entirety. However, Kaia understands that as different people may have different preferences regarding communication, sustainability of control, etc., some features are optional and can be enabled or disabled in the App's settings.
This includes, for example, using push notifications to send you alerts. When you use the App for the first time, you will be asked if you want to enable these functions in your settings menu. You may also enable these functions or disable them again at a later time. The same applies, for example, to e-mails sent by Kaia to remind you to complete your therapy units.
We may transfer your Data collected by the App to the following processors in the meaning of Art. 28 GDPR who assist Us in the operation of the App and the provision of Our services:
Name | Function | Processed data |
---|---|---|
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg |
Cloud Platform as a Service (PaaS) – provision of server and database resources for the operation of the App. Any and all Data are transmitted, stored and processed exclusively in encrypted form. No Data are transferred to the US. If US authorities request the release of Data, no Data will be made available or, in any case, legal action will be taken and fully exhausted. |
Encrypted: User data, contact data, health data, billing data, data for the improvement and further development of the App. |
Zammad GmbH, Marienstraße 18, 10117 Berlin, Germany | Indexing and answering of support requests | Requests made to the support team. May include message text, subject, e-mail address and name |
mailbox.org / Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany | E-mail inbox for support requests | Requests made to the support team. May include message text, subject, e-mail address and name |
NOVENTI HealthCare GmbH, Berg-am-Laim-Straße 105, 81673 Munich, Germany | Payment processing | Processing of DiGA payment via statutory health insurers using the DiGA activation code. |
IMEDIAPP SA (Batch.com), 43 rue Beaubourg, 75003 Paris, France | Push and e-mail notifications | Treatment-related notifications via push and e-mail. May include push identifiers and e-mail addresses |
BroadSoft Germany GmbH c/o Cisco Systems GmbH, Lothringer Straße 56, D-50677 Cologne, Germany |
Contact by telephone Any and all Data are transmitted, stored and processed exclusively in encrypted form. No Data are transferred to the US. If US authorities request the release of Data, no Data will be made available or, in any case, legal action will be taken and fully exhausted. |
Telephone number |
Deutsche Post AG, Charles-de-Gaulle-Str. 20, 53113 Bonn, Germany | Dispatch of prescriptions submitted through Kaia Health | Contact details, health data |
Bayoomed GmbH, Europaplatz 5, 64293 Darmstadt, Germany | Integration with Telematics Infrastructure | Contact details, general personal data, patient data |
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | Cloud services for messaging and notifications | Push token |
We have concluded contracts with all of Our processors pursuant to Art. 28 GDPR, stipulating in particular that the data processing will be carried out exclusively according to Kaia's instructions and that all employees who come in contact with Kaia's data have been obligated to comply with data protection regulations.
Moreover, We may disclose your Data to the following categories of recipients for the aforementioned processing purposes:
Each of the above recipients processes your Data independently as a controller in the meaning of Art. 4 para. 7 GDPR.
Please note that in the context of providing the App, Kaia also collaborates with other partners who are not processors and who may collect Data directly from customers, without any data transfer by Kaia.
This includes e.g. the payment service provider PayPal (Europe) S.a.r.l. et Cie, S.C.A. with registered office in the EU (hereinafter: "PayPal") as well as PayPal's respective processors. If you wish to make any payments via PayPal, you will be automatically redirected to the website of PayPal or its affiliated companies for payment purposes. Such third-party providers are not "recipients" of Kaia in the meaning of Art 13 para. 1 GDPR. They collect the customer's Data independently and based on your decision to make the payment via PayPal. We would furthermore like to note that your contractual relationship with PayPal is independent of your contractual relationship with Kaia.
The processing of your Data may be carried out by Kaia in Germany, in a Member State of the EU or the EEA or, if an adequacy decision pursuant to Art. 45 GDPR exists, in a third country outside the EU or the EEA.
We generally only store your Data for as long as is necessary to achieve the purposes for which the Data was collected or until you withdraw your consent (see clause 11.). If there are additional statutory storage periods (e.g. in the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung) or for regulatory reasons), your Data will be stored for the duration of the statutory storage period.
You may end your use of Kaia at any time and delete all your Data. To do so, select the menu item "Manage your data" in the App's settings. There, you may also selectively delete all Data that We have collected for product improvement or improvement of the Motion Coach, if you have previously given your consent for this.
We store health-related Data physically and logically separate from Data required for billing purposes. A deletion also deletes any of your Data that have been processed by processors.
According to the GDPR, you are entitled to the following data protection rights pursuant to statutory requirements:
Right of access, rectification, erasure and restriction: You have the right to request at any time information about your Data stored by Us (Art. 15 GDPR). When We process or use your Data, We take reasonable steps to ensure that your Data are accurate and up-to-date for the purposes they were collected for. If your Data are inaccurate or incomplete, you may request that they be rectified (Art. 16 GDPR). You furthermore may have the right to request the erasure (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) of your Data if, for example, your Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and statutory retention obligations do not require their continued storage.
Right to data portability: You may have the right to receive the respective Data you provided to Us in a structured, commonly used, and machine-readable format or to transmit those Data to another controller (Art. 20 GDPR).
Right to withdraw your consent: If you have given consent to the collection, processing and use of your Data, you may withdraw your consent at any time with effect for the future; however, the lawfulness of the processing performed based on the consent until its withdrawal shall not be affected by such a withdrawal (Art. 7 para. 3 GDPR).
Automated decision making (including profiling): You have the right not to be subject to a decision based solely on automated processing (including profiling) that has legal effects on you or similarly significantly affects you (Article 22 (1) GDPR). Please note that we do not use such automated decision-making or profiling within the meaning of Art. 22 GDPR in connection with our app.
Right to object: You may object at any time, for reasons relating to your particular situation, to the processing of your Data under Art. 6 para. 1 lit. e) or f) GDPR. After you lodge such an objection, We will no longer process your Data unless We can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims (Art. 21 para. 1 GDPR, co-called "restricted right to object"). In this case, you must provide reasons for your objection which result from your particular situation. You may also object, without giving reasons, to your Data being processed for direct advertising (Art. 21 para. 2 GDPR).
To exercise your right of access and your right to data portability, select the menu item "Manage your data" in the App settings. There you can export your Data in both a human-readable and a machine-readable format.
To rectify your Data, you can find some options directly in the App's settings. If you would like to rectify additional Data, you may always contact Our customer support at www.kaiahealth.de/kontakt/, who will rectify the Data for you.
To obtain a restriction of processing or to object to the processing of your Data, you will also find options in the App's settings under the menu item "Manage your data". If you would like to further restrict the processing of your Data, please contact Our customer support at www.kaiahealth.de/kontakt/.
In addition, you have the right to lodge a complaint with the relevant supervisory authority if you believe your Data are not being processed lawfully. The competent supervisory authority for Kaia is Bayerisches Landesamt für Datenschutzaufsicht; postal address: Postfach 606, 91511 Ansbach; telephone: +49 (0) 981 53 1300; e-mail: poststelle@lda.bayern.de.
For all questions regarding the protection of your Data, you may also contact Our Data Protection Officer at datenschutzbeauftragter@datenschutzexperte.de, who is also available to receive your requests to exercise your data protection rights as well as suggestions and complaints.
We reserve the right to update this privacy policy from time to time, in particular in order to reflect changes to Our services, e.g. technical and organizational adjustments to the App, changes in legislation or case law, or your feedback. We therefore recommend that you visit this website regularly to find out how your Data is protected and processed. We will notify you in advance by e-mail and/or in the App of any material changes to this privacy policy.
Wording of the declaration of consent
I consent to the processing of my personal data (including health data) for the following purposes:
For further information on how we process your personal information and on your data protection rights, please refer to our privacy policy. You may withdraw your consent(s) at any time in the settings for the future.