Privacy Policy – Digital Health Application Vertidisan
Dated: 09 October 2023 · last updated 12 March 2024. Minimum age for use: 18 years, regardless of operating system (iOS/Android).
1. Controller
Digitineers GmbH & Co. KG, Austria: Mariahilfer Str. 123/3, 1060 Vienna (info@vertidisan.com), Germany: August-Bebel-Str. 9, 72072 Tübingen (Headquarters)
Phone: +49 7071 704 30 10 · E-mail: info@digitineers.com · www.digitineers.com
Data storage by: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Server locations: Germany and Finland (Hetzner Finland Oy). Privacy policy: hetzner.com/rechtliches/datenschutz.
Statutory health insurance billing: the activation code is transmitted pseudonymously to Noventi HealthCare GmbH, Berg-am-Laim-Straße 105, 81673 Munich, Germany, and forwarded to the statutory health insurance fund. Privacy policy: noventi.healthcare/datenschutz.
2. Data Protection Officer
Mr Marcel Heintz, DaVedo GmbH, Robert-Koch-Straße 35, 55129 Mainz, Germany
Phone: +49 6131 3278420 · E-mail: kontakt@davedo.de · www.davedo.de
3. Scope
This policy describes the processing of personal data pursuant to Art. 4(1) GDPR, as well as special categories of personal data pursuant to Art. 9 GDPR (including health data, biometric data) in connection with the use of Vertidisan.
4. Processing of Data upon Registration and Use
4.1 Download: When downloading, data is automatically transmitted to the respective app store (username, e-mail, customer number, device identifier, payment information, time). The respective app store operator is responsible for this.
4.2.1.1 Registration: IP address, date/time of access, password, e-mail address, activation code (legal basis: Art. 6(1)(b) GDPR).
4.2.1.2 Health data (only with separate consent, Art. 9(2)(a) GDPR):
- User/health data: diagnosis, symptoms, complaints, progress
- Device data: phone model, operating system, device ID
- Progress data: content displayed and completed
- Content data: consents to terms/privacy/cookies/push notifications, app version
- Server data: IP addresses, content accessed, pseudonymized ID, timestamps
- Server log files: IP, URL, timestamp
4.2.1.3 Contact data when contacting customer service.
4.2.4 Retention period: deletion after the 90th day of therapy, at the latest 180 days after registration/activation. Outside the app (e.g. invoicing data for self-payers): 6 calendar years pursuant to the German Commercial Code (HGB).
5. Disclosure to Third Parties
No sale of personal data. No disclosure without your consent, except where legally permitted. Processors are engaged in accordance with Art. 28(1) GDPR; processing takes place exclusively in Germany or Finland. Any statutory duty to provide information to authorities (e.g. law enforcement, regulatory or tax authorities) remains unaffected.
6. Deletion of Data
Backups are deleted after no more than 32 days. IP addresses used for abuse detection are stored for a maximum of 7 days.
7. Your Rights
Right of access (Art. 15 GDPR), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20).
8. Right to Object
You have a right to object pursuant to Art. 21 GDPR, as well as a right to lodge a complaint with a supervisory authority. You may withdraw any consent given at any time pursuant to Art. 7(3) GDPR – via your profile settings, by deleting your account, or in writing.
9.–10. DiGAV: Purposes & Technical/Organizational Measures
Data processing takes place pursuant to § 4(2) DiGAV (German Digital Health Applications Ordinance) for the following purposes: intended use, evidence of positive care effects, evidence pursuant to § 134 SGB V, functionality and further development. Two separate consents may be given for this purpose.
Technical and organizational measures include, among others: secure authentication and session data management, access security, software risk management pursuant to ISO 27001/ISO 13485/BSI C5, hosting on German servers, a 72-hour reporting obligation in the event of data breaches, certified penetration testing pursuant to the BSI concept (BSI TR-03161, pending), no access to device sensors/hardware beyond what is necessary, a complete transparency list of third-party software used, availability Mon–Sat 9 a.m.–7 p.m. CET with a response within 24 hours, no advertising, no in-app purchases and no automatic subscription renewals.
11. Privacy Assessment
The privacy assessment was carried out according to the criteria of the BfArM (German Federal Institute for Drugs and Medical Devices) pursuant to § 139e(11) SGB V and § 78a(8) SGB XI.
12. Changes to this Privacy Policy
The current version is available at any time via this website and via the app (menu item "Privacy").