Declaration of Consent for Data Protection Regarding the Preventicus Heartbeats App
I may revoke my consent for the future at any time. However, the revocation of my consent does mean that contractual use of the Preventicus Heartbeats app or Telecare Centre is no longer possible. Processing on a statutory basis cannot be ruled out either if consent is revoked.
Additional data protection regulations may apply for certain categories of data processing, e.g. if you are using the Preventicus Heartbeats app to take part in a study or a telemedical care programme of your health insurance.
The Preventicus Heartbeats app is a medical product classified for the European Economic Area, which complies with the basic requirements of Guideline 93/42/EEC and its national implementations.
For more information, please refer to the Terms and Conditions of Use.
PREVENTICUS will process your personal data confidentially and strictly for specific purposes. Your health data will exclusively be processed on servers in Germany.
I. Who is responsible for data processing and who should I contact?
Responsible in terms of the General Data Protection Regulation (GDPR) is:
You can contact our Data Protection Officer by means of the above contact details or by email at firstname.lastname@example.org
II. What are personal data?
Personal data is information that can identify someone or that can be used to contact someone, such as an email address.
We do not need your name or any other contact details from you for you to use the Preventicus Heartbeats app, but we save your data without a name reference (pseudonymised) on our systems from the start.
The Preventicus Heartbeats app is therefore not used to process any personal data that can be directly attributed to you. PREVENTICUS cannot identify or individually contact any unregistered users based on the data generally saved in Preventicus Heartbeats.
III. What kind of data do we collect?
III.a Health data
You can use the Preventicus Heartbeats app to take measurements of your own pulse using your smartphone and document them with the app. The Preventicus Heartbeats app then uses the information provided to help automatically detect and classify arrhythmias (extrasystoles, atrial fibrillation), provided sufficiently accurate and valid measurements are available (“health data”). Your heart rhythm and pulse waves will be stored on our servers.
III.b Sensor data
In addition to the classification of the measurements, not only your smartphone’s camera but also other sensor data are used for and added to the measurements. This is done to ensure that any movements that could impair the measurement result are taken into account.
As a result of your registration, your licence can be transferred regardless of the operating system you are using and your measurement data can be reproduced if you change or lose your smartphone. It also enables you to take part in a care programme or medical study.
III.c Other data you communicate to us
We generally require neither your name nor any other personal contact data from you, but save your data initially without a name reference (anonymously) on our systems. Processing takes place solely on servers in Germany.
You do, however, have the possibility to add your name and, in a free-text field, store the reason for the measurement or symptoms (heart palpitations, dizziness, irregular heartbeat, chest pains, etc.) for personal purposes in stored PDF reports, for instance to be used for assistance when forwarding the information to your physician. In your user profile you can also state your sex and year of birth, thus enabling us to better assess your measurement results.
If you would like to register with us, please communicate your e-mail address and a password set by you. Optionally, you can assign a user name, state your name and enter a promotional code in the field ‘ID health partner’.
Your data will then be saved in a pseudonymised manner. This means that your personal data is stored in encrypted form in a separate database from your health data and can be assigned if necessary. Processing takes place solely on servers in Germany.
Registration enables the transfer of your licence irrespective of the operating system and the recovery of your measurement data, should you change or lose your smartphone.
III.e Interoperability option
Preventicus Heartbeats may be opened and used for heart rhythm measurements by dedicated medical applications. In this case, Preventicus Heartbeats performs its measurements with subsequent pseudonymized data analysis on servers hosted in Germany. The pseudonymized results are securely transferred back to the dedicated medical applications. In this scenario, Preventicus Heartbeats does not receive any personal data from the dedicated medical applications except being necessary for data analysis (age and gender). Only the dedicated medical applications connected to Preventicus Heartbeats may be able to merge pseudonymized measurement results from Preventicus Heartbeats with potentially personal user data derived in the dedicated medical applications. Preventicus Heartbeats is an independent medical application. When using the interoperability option, please refer to the privacy notices of the third-party compatible medical app you are using.
Preventicus has no influence on any further processing of your measurement results in these third-party medical applications.
List of dedicated medical applications being interoperable with Preventicus Heartbeats:
mAFA. Mobile Health Technology for Atrial Fibrillation Management Integrating Decision Support, Education, and Patient Involvement: mAF App Trial
MAFA and its connected application is scientific project in China mainland led by Prof. GUO YUTAO (301 hospital Beijing, PRC).
UKSH App: Health Hub (IBM Project Electronic Health Record)
III.f. General data we collect regarding the use of our app
Crashlytics collects data on the use of the app, especially with regard to system crashes and errors. In doing so, information concerning the device (incl. advertising ID), the installed app version as well as other information is used, which may help to remedy errors, particularly regarding the user’s hardware and software.
You can deactivate the analysis service Crashlytics from Google Inc., thus objecting to the collection of this data with future effect. For this purpose, open the settings menu (cogwheel symbol at the top right) and click on Deactivate.
Within this app we use the app performance and analysis technology “Adjust” from Adjust GmbH. When starting the app, we collect installation data and data regarding the use of the app via Adjust. This helps us to measure and analyse your use and interaction with the app and with advertising campaigns. Adjust connects IP addresses, information from the User-Agent character string and an application-specific addition to a linked character string. In the case of single-use anonymisation, the values are not retrievable, meaning that users and/or devices cannot be personally identified.
You can deactivate the analysis service Adjust, thus objecting to the collection of this data with future effect. For this purpose, open the settings menu (cogwheel symbol at the top right) and click on Deactivate.
III.g.3. Scientific research purposes
For scientific research purposes, we process the IP address for the anonymous classification of your residential district, as well as further statistical data, such as age and gender.
- Data processing for payment processing when using the full version
If you would like to use the full version, your app store operator will exclusively process your payment details for handling your purchase. Your contact and payment data is not communicated to us. Please observe the data protection provisions and user regulations of your respective app store operator, Apple App Store and Google Play Store.
- Where do we store your personal data?
When using this app, a transfer of data takes place to countries outside the European Economic Area (“EEA”) within the framework of the use of the analytical service Crashlytics (unless you have selected the Opt-Out function). An adequacy decision of the EU Commission does not exist for these countries, to the effect that in said countries (so-called third countries), there are no data protection provisions comparable with those of the EU.
Crashlytics is certified under the EU-US Privacy Shield and guarantees the users an adequate level of data protection, in particular legally binding and judicially enforceable rights for the persons affected.
You can deactivate the analysis service Crashlytics, thus objecting to the collection of this data with future effect. For this purpose, open the settings menu (cogwheel symbol at the top right) and click on Deactivate.
The remaining data processing operations are performed exclusively within the EU by contracted service providers acting on our behalf.
- To what end do we process your data (purpose of processing) and on which legal basis?
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
VI.a to meet contractual obligations (Art. 6 (1) (b) GDPR)
PREVENTICUS processes contractual information in relation to accounts in order to allocate and provide you and other providers with the contractually agreed services as well as ensure all information reaches the correct recipients.
We store and anonymise your measurements and the evaluations and health values we have created in this respect for scientific and statistical purposes and for the continuous improvement of the app and measurement systems, without prejudice to the cancellation or termination of your account. PREVENTICUS will also delete the link to the account forever. The data will be anonymised in such a way that the pertinent individuals cannot or can no longer be identified.
VI.b to process personal health data based on your consent (Art. 6 (1) (a) GDPR, Art. 9 (2) (a) GDPR)
Based on your consent, we process your health data to detect arrhythmias (extrasystoles, atrial fibrillation) and to classify the results in an analysis report for your information.
VI.c to exercise or defend legal claims (Art. 9 (2) (f) GDPR)
Where necessary, we will process your data for the establishment, exercise or defence of legal claims.
VI.d. for the balancing of interests (Art. 6 (1) (f) GDPR)
Provided you have not objected to the use of your data, we process your usage data to protect our legitimate interests and those of third parties, e.g. for
- Performance reviews of our advertising campaigns, to improve the effectiveness of our marketing efforts and to make their success measurable;
- Statistical analyses of how our app is used to ensure that the interests of all parties are protected, that the measurements were performed correctly and that the contents are optimally displayed.
VII. Who is my personally identifiable data transferred to?
In general, only those persons within PREVENTICUS have access to this data who require it for the fulfilment of our contractual or, if applicable, legal obligations. Service providers and vicarious agents deployed by us may also receive data for these purposes. The specifically applies to our ISO27001-certified hosts.
Beyond this we do not communicate your personal or personally identifiable data to third parties.
You are free to communicate the analyses generated via the app (menu option Report) to third parties.
Accordingly, we do not communicate your personal or personally identifiable data to third parties without your explicit previous consent.
VIII. Is the provision of the personal data legally or contractually stipulated?
You are under no obligation to provide us with the above-mentioned personal data via the website.
- How long is my data stored for?
We generally process and save your personal data as long as is necessary for the fulfilment of the purpose or as far as is legally required.
- Your rights as an affected person
Each person affected by our personal data processing has the right of access in accordance with Article 15 GDPR, the right of rectification in accordance with Article 16 GDPR, the right to deletion in accordance with Article 17 GDPR, the right to the limitation of processing in accordance with Article 18 GDPR, the right of opposition from Article 21 GDPR as well as the right of data portability from Article 20 GDPR. In the case of access and deletion rights, the limitations according to §§ 34 and 35 of the German Federal Data Protection Act (BDSG) shall apply. Furthermore, a right to appeal to a data protection authority exists in accordance with Article 77 GDPR in conjunction with § 19 of the German Federal Data Protection Act (BDSG).
Except in the case of registered users, Preventicus is unable to identify users. Due to the lack of sufficiently identifiable characteristics, Preventicus is unable to allocate the health data to a non-registered user. In these cases, Articles 15 to 20 do not apply.
X.I. Information regarding your right of opposition in accordance with Article 21 GDPR
X.I.I. Individual right of opposition
You have the right, for reasons resulting from your particular situation, to file an opposition at any time against the processing of your personal data, which has taken place based on Article 6 par. 1 f GDPR (data processing based on a balancing of interests); this also applies, where relevant, to a profiling based on this provision within the meaning of Article 4 par. 4 GDPR. See in particular section 3.4.
If you file an opposition, we will no longer process your personal data, unless we can present proof that compelling protection reasons for processing exist that outweigh your interests, rights and freedoms, or that processing serves the assertion, execution or defence of legal claims.
If you oppose the processing for purposes of direct advertising, we will no longer use your personal data for these purposes.
X.I.II. Revocation of consents granted
You can revoke a consent granted to us at any time.
This also applies to the revocation of declarations of consent granted to us prior to the validity of the EU General Data Protection Regulation, meaning prior to 25 May 2018. The legality of the processing performed based on the consent until the time of revocation shall not be affected by the revocation of the consent.
X.I.III. Implementation of the opposition or revocation of consent granted
Opposition can take place informally and can be performed, for instance:
- by clicking on Unsubscribe in the bottom section of an e-mail message (newsletter);
- by using our contact form under contact for your opposition;
- by means of written notification to the address stated in section 1
- by telephone via the number +49 (0) 36 41 / 55 98 45-0
- or by sending an e-mail to email@example.com
- In order to unsubscribe from receiving e-mails or other advertising materials, you can also follow the instructions given in the respective notification.
Please contact the Data Protection Officer directly with regard to your data protection rights.
Right of modification
PREVENTICUS is entitled to modify the data protection declaration at any time and, in particular, to adjust it to amendments in the legal situation brought about by law or legislation. The respectively most recent version can be accessed and viewed at this point. Amendments to the data protection provisions shall come into effect at this point upon the day of their publication.
Jena, October 13, 2019