Privacy Policy

Personal data (hereinafter mostly referred to as “data”) are processed by us only within the scope of necessity and for the purpose of providing a functional and user-friendly Internet presence, including its contents and the services offered there.

Art. 4 digit 1. of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (hereinafter referred to as the “GDPR”), “processing” means any operation or set of operations relating to personal data, such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or association, qualification, erasure or destruction, carried out with or without the aid of automated procedures.

With the following data protection declaration we inform you in particular about type, extent, purpose, duration and legal basis of the processing of personal data, as far as we decide either alone or together with others about the purposes and means of the processing. In the following, we will also inform you about the third-party components used by us for optimisation purposes and to increase the quality of use, insofar as third parties process data on their own responsibility.

Our privacy policy is structured as follows:

I. Information about us as responsible persons
II. Rights of users and persons concerned
III. Information on data processing
IV. Information about permissions required to submit a case

I. Information about us as responsible persons

The provider responsible for this Internet presence in the sense of data protection law is:

Smart Health Heidelberg GmbH
Handschuhsheimer Landstr. 9/1
69120 Heidelberg
Germany

Telephone: 06221/3219304
E-Mail: info@smarthealth.de

Privacy officer at the provider is:

Name: Christin Wißler; Contact: dsb@smarthealth.de

II. rights of users and stakeholders

With regard to the data processing described in more detail below, the users and data subjects have the right

to

  • on confirmation whether data concerning them are processed, on information about the processed data, on further information about the data processing as well as on copies of the data (cf. also Art. 15 GDPR);
  • on confirmation whether data concerning them are processed or not

  • for the correction or completion of incorrect or incomplete data (cf. also Art. 16 GDPR);
  • for the correction or completion of incorrect or incomplete data (cf. also Art. 16 GDPR);

    for the correction or completion of incorrect or incomplete data (cf. also Art. 16 GDPR);

    for the correction or completion of incorrect or incomplete data (cf. also Art. 16 GDPR);

    for the correction or completion of incorrect or incomplete data (cf. also Art. 16 GDPR);

    for the correction or completion of incorrect or incomplete data

  • on immediate deletion of the data concerning them (cf. also Art. 17 GDPR), or, alternatively, if further processing is required pursuant to Art. 17 para. 3 GDPR, on limitation of processing pursuant to Art. 18 GDPR;
  • on the restriction of processing pursuant to Art. 18 GDPR.

  • on receipt of the data concerning them and provided by them and on transmission of these data to other providers/responsible persons (cf. also Art. 20 GDPR);
  • on receipt of the data concerning them and provided by them and on transmission of these data to other providers/responsible persons (cf. also Art. 20 GDPR);

    on receipt of the data provided by them and on transmission of these data to other providers/responsible persons (cf. also Art. 20 GDPR);

    on receipt of the data provided by them and on transmission of these data to other providers/responsible persons (cf. also Art. 20 GDPR); on receipt of the data provided by them (cf. also Art. 20 GDPR)

  • on complaint to the supervisory authority if they are of the opinion that the data concerning them are being processed by the provider in violation of data protection provisions (cf. also Art. 77 GDPR).
  • on complaint to the supervisory authority if they are of the opinion that the data concerning them are being processed by the provider in violation of data protection provisions (cf. also Art. 77 GDPR).

In addition, the provider is obliged to inform all recipients, to whom data have been disclosed by the provider, about any correction or deletion of data or the restriction of processing, which takes place on the basis of Articles 16, 17 para. 1, 18 GDPR. However, this obligation does not apply if such notification is impossible or involves disproportionate effort. Notwithstanding the foregoing, the User shall have the right to obtain information about such recipients.

In addition, users and data subjects have the right to object to the future processing of data concerning them in accordance with Art. 21 GDPR, provided that the data are processed by the provider in accordance with Art. 6 para. 1 lit. f) GDPR. In particular, an objection to data processing for the purpose of direct marketing is admissible.

III. Information on data processing

Your data processed when using our website will be deleted or blocked as soon as the purpose of the storage no longer applies, the deletion of the data is not opposed by any legal storage obligations and subsequently no other information on individual processing methods are provided.

Cookies

a) Session Cookies/Session Cookies

We use so-called cookies with our Internet presence. Cookies are small text files or other storage technologies that are stored on your terminal device by the Internet browser you use. These cookies process certain information from you to an individual extent, such as your browser or location data or your IP address.

This processing makes our Internet presence more user-friendly, effective and secure.

The legal basis for this processing is Art. 6 Para. 1 lit. b.) GDPR, insofar as these cookies are used to process data for contract initiation or contract processing.

If the processing does not serve the contract initiation or contract execution, our legitimate interest lies in improving the functionality of our website. The legal basis is then Art. 6 Para. 1 lit. f) GDPR.

.

Close your Internet browser and these session cookies will be deleted.

b) Third party cookies

Only our payment provider Stripe is the only external provider that places cookies (for more information on Stripe see section d)) to ensure secure online payment via our website. Stripe only places cookies on the “Send Case” page.

c) Elimination option

You can prevent or restrict the installation of cookies by setting your Internet browser. You can also delete cookies that have already been saved at any time. However, the steps and measures required for this depend on the Internet browser you are using. If you have any questions, please use the help function or documentation of your Internet browser or contact its manufacturer or support. In the case of so-called flash cookies, however, processing cannot be prevented via the browser settings. Instead, you must change the settings of your Flash player. The steps and measures required for this also depend on the Flash Player you are using. If you have any questions, please also use the help function or documentation of your Flash Player or contact the manufacturer or user support.

Should you prevent or restrict the installation of cookies, this may, however, result in not all functions of our website being fully usable.

d) Payment services

d1) Payment services: via Visa, Mastercard, American Express

If you pay by credit card, the payment will be processed by the payment provider “Stripe”. The data required for this (card number, validity and check number) are forwarded to the payment provider in encrypted form and cannot be viewed by the website operator. Stripe Payments Europe Ltd is certified according to the Industry Data Security Standard (PCI DSS) and is subject to the Safe Harbour Agreement. The Payment Provider may transfer, process and store personal data outside the EU that is necessary to process the payment, but which cannot be attributed to your case or any other personal data entered into the App by this Payment Provider (= your images, your email address or any symptoms you have indicated). Stripe alone is responsible for the processing of this data.

Stripe Payments Europe Ltd

Block 4, Harcourt Centre
Harcourt Road
Dublin 2
Ireland

Details for payment with Stripe can be found in the terms and conditions and privacy policy of the payment provider: https://stripe.com/de/terms

We have concluded a contract with Stripe in which we oblige Stripe to protect the data of our customers and not to pass it on to third parties. Further information can be found here: https://stripe.com/dpa/legal

d2) SOFORT
If the payment method “SOFORT” is selected, payment will also be processed via Stripe (see d1), but in cooperation with the payment service provider SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany (hereinafter referred to as “SOFORT”), to whom we do not directly forward any information about your order. The information is passed on via Stripe, which assigns your case an ID (not your case ID) and, if payment is successful, automatically informs us of this ID, so that your case is automatically sent to a specialist or posted in the encrypted medical portal and can be processed by a specialist. Sofort GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden). Your data will only be passed on for the purpose of payment processing with the payment service provider IMMEDIATELY and only to the extent necessary. At the following Internet address you will find further information about SOFORT’s privacy policy: https://www.klarna.com/sofort/datenschutz.

e) Composition of data actively entered by yourself (=case) & advice on factually anonymous use of the service

The use of this service is factually anonymous possible (=neither the operator, nor the doctors, nor the third party providers / payment providers can bring you as an individual person in connection with your case or assign your health data to your person). In the interests of data economy, we collect as little data as possible from you. To submit a case and a medical specialist’s opinion, only the following are required: three images of the problem/skin area, information on symptoms (not individually assignable), your approximate age (years, no date of birth) and your gender. The website also requires you to enter an e-mail address so that you can be notified when your case has been processed. If you wish to use the service anonymously, we recommend the following:

  • No name, date of birth or place of residence is queried at any point on our site. You should not provide this information in your symptom description.
  • You should limit the photos you take and upload to your problem. You should not upload images of your face, or identifying tattoos or the like.
  • You should enter an e-mail address on our website (in our apps of the same name no e-mail address is required, you can use this alternatively) which identifies you not individually (e.g. Sportfan2006Superman@web.de instead of Jens-Simon-Hendrik-Maier-01-08-1956@web.de). The attending physicians do not see your email address, but it is stored in a secure database in a secure server center in Frankfurt (see section f) so that you can be contacted when your case has been processed and to provide your case number. We meet modern security standards and have taken many precautions to ensure that our database is safe from hacker attacks and other influences. However, in the interests of the data economy of the EU-GDPR, we recommend that you do not upload any individually identifying information with our service.

f) Hosting your case

We host your case data at Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA (“AWS”). For technical reasons, the infrastructure may be maintained from the USA. However, AWS has adhered to the EU-US Privacy Shield and we have only selected secure server locations in the European Union that are part of the Amazon AWS Security Group (Frankfurt & Ireland, both part of the Security Group).

The legal basis for the aforementioned data processing is Art. 6 para. 1 f) GDPR based on our legitimate interest. We want to provide you with the technical infrastructure to be able to offer our products and services.

We have concluded a contract with Amazon AWS in which we obligate Amazon AWS to protect the data of our customers and not to pass it on to third parties. Further information can be found in the Privacy Statement of AWS and here: https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/

g) Hosting of this website and automated sending of e-mails

This website uses 1&1 IONOS mail server to forward email from Amazon AWS and 1&1 IONOS hosting server to host this website. Provider is 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. The mail server forwarding service is used to send you your case number, or to inform you if your case has been reviewed by a specialist, or if a query has been made. The hosting service is used to host this website.

 

Legal basis

The data processing takes place on the basis of our legitimate interests in a reliable and secure e-mail dispatch and hosting (Art. 6 para. 1 lit. f GDPR).

For more details, see the 1&1 IONOS Privacy Policy at: https://www.ionos.de/terms-gtc/terms-privacy/..

 

Conclusion of an order processing contract

We have concluded a contract with 1&1 IONOS in which we oblige 1&1 IONOS to protect the data of our customers and not to pass it on to third parties. You can find out more about this here: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-GDPR/auftragsverarbeitung/..

f) Archive/delete your case

If you wish your case to be deleted, you can request this deletion via the contact form, stating your case number. In principle, we store the data for five years. For security reasons, however, your case can only be retrieved two weeks after creation. If you still want to call up the case out of legitimate interest, please contact our support team using the contact form, stating your case number. If you do not want to be identified, use an e-mail address that cannot be individually assigned to you.

Contact requests / Contact possibility

If you contact us via contact form or e-mail, the data you provide will be used to process your request. The data you provide is necessary for processing and answering your enquiry – we cannot answer your enquiry without providing it, or we can only answer it to a limited extent.

The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR.

Your data will be deleted if your request has been conclusively answered and there are no legal obligations to retain data to prevent deletion, such as in the case of any subsequent contract processing.

Facebook

To advertise our products and services as well as to communicate with interested parties or customers, we operate a company presence on the Facebook platform.

On this social media platform, we are jointly responsible with Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

The Facebook Privacy Officer can be reached via a contact form:

https://www.facebook.com/help/contact/540977946302970

We have regulated the joint responsibility in an agreement regarding the respective obligations in the sense of the GDPR. This agreement, from which the mutual obligations arise, can be found under the following link:

https://www.facebook.com/legal/terms/page

The legal basis for the processing of personal data that takes place as a result and is reproduced below is Art. 6 Para. 1 lit. f GDPR. Our legitimate interest lies in the analysis, communication, sale and advertising of our products and services.

The legal basis may also be the user’s consent to the platform operator pursuant to Art. 6 Para. 1 lit. a GDPR. The user may revoke his consent to this at any time in the future by notifying the platform operator in accordance with Art. 7 Para. 3 GDPR.

When calling up our online presence on the Facebook platform, Facebook Ireland Ltd. as the operator of the platform in the EU processes the user’s data (e.g. personal information, IP address etc.).

This user data serves as statistical information about the use of our company presence on Facebook. Facebook Ireland Ltd. uses this data for market research and advertising purposes and to create user profiles. These profiles enable Facebook Ireland Ltd., for example, to advertise users inside and outside Facebook on an interest-related basis. If the user is logged in to his Facebook account at the time of access, Facebook Ireland Ltd. can also link the data to the respective user account.

If the user makes contact via Facebook, the personal data of the user entered on this occasion will be used to process the request. The user’s data will be deleted by us if the user’s request has been conclusively answered and there are no legal storage obligations, such as in a subsequent contract processing, contrary.

For the processing of the data Facebook Ireland Ltd. may also set cookies.

If the user does not agree with this processing, it is possible to prevent the installation of cookies by setting the browser accordingly. Cookies that have already been saved can also be deleted at any time. The settings for this depend on the respective browser. In the case of Flash cookies, processing cannot be prevented via the browser settings, but via the corresponding setting of the Flash player. If the user prevents or restricts the installation of cookies, this may mean that not all Facebook functions are fully usable.

For more information on the processing activities, their suppression and deletion of the data processed by Facebook, please refer to the Facebook Data Policy:

https://www.facebook.com/privacy/explanation

It cannot be excluded that the processing by Facebook Ireland Ltd. may also take place via Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA.

Facebook Inc. has submitted to the EU-US Privacy Shield and thereby declares its compliance with EU data protection regulations when processing data in the US.

https://www.privacyshield.gov/participant?id;status=Active

 

IV. Information on necessary authorizations

Permission to use the camera / files when taking pictures/selecting

If you want to upload three images to complete your case, you must either grant permission to your web camera for this purpose only, or grant access to your images on your computer, but only to the skin images you have selected to complete your case.

The legal basis is Art. 6 Para. 1 S. 1 lit. f DS-GVO, since without photos of the affected skin area no good findings can be made by a specialist.