The Controller in accordance with the relevant data protection regulations is imito AG (hereinafter referred to as "Provider"). For details on the summonable address and authorized representation, please refer to the imprint.
We process personal data only to the extent necessary to provide a functional app. The processing of personal data takes place regularly only with the consent of the data subject or on the basis of other legal provisions that permit data processing.
A distinction must be made between two categories of personal data:
Patient data also includes personal data of a special category in accordance with Art. 9 GDPR (hereinafter "sensitive data").
Unless otherwise stipulated elsewhere, the following applies to the legal basis for data processing:
In order to use our App and the services provided through it, you enter into a contract with us by accepting our terms and conditions. We collect and process your personal data for the purpose of fulfilling the contract in accordance to Art. 6 para. 1 b) GDPR.
In addition, we process personal data: as far as this is necessary to fulfill a legal obligation, which we are subject to, in accordance to Art. 6 para. 1 lit. c) GDPR; insofar as this is necessary to safeguard the legitimate interests of our company or a third party and does not outweigh the interests, fundamental rights and fundamental freedoms of the person concerned, in accordance to Art. Art. 6 para. 1 f) GDPR.
We do not collect patient data. You may only integrate patient data into our App on a suitable legal basis, regardless of whether this is done manually or automatically. The legal basis for the processing of personal data is, among others, from Art. 6 GDPR “Necessary for the performance of the contract” and “Legitimate interests” and, with regard to the processing of personal data of a special category, Art. 9 GDPR “Research Purpose”. If the consent of the data subject is required, you must obtain it. Furthermore, you are obliged, among other things, to inform the data subjects whose data you integrate into our app, in accordance with. Art. 13 - 14 GDPR.
We process patient data mainly as a processor based on the basis of the agreement concluded with you pursuant to Art. 28 GDPR.
In principle, unless otherwise stated, your personal data will only be stored until the purpose of the collection and storage no longer applies. In accordance with your consent, data may also be stored for longer, as long as you do not withdraw your consent.
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we are subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.
In the event of termination - for whatever reason - of the contract between the user and the provider, the provider shall keep all content, information and (personal) data uploaded by the user available for retrieval by the user for a further 60 days after termination. After expiry of this period, the aforementioned content will be irrevocably deleted or anonymized in accordance with data protection regulations.
Unless otherwise stated, all data processing takes place within the EU, the EEA countries or in Switzerland. The data transmission to Switzerland, as well as the data processing in Switzerland, are based on the appropriateness decision of the European Commission 2000/518 / EC.
Data processing operations that are carried out via third party providers established outside of the geographical area upon mentioned can be carried out partially or completely in the countries of the respective branch or according to the respective data protection regulations.
A transfer of personal data outside the EU or the EEA will only take place on the basis of an adequacy decision of the European Commission, including the EU-US or US-Swiss Privacy Shield adequacy decision, or in accordance with standard contractual clauses of the European Commission.
When you register within the app, we collect the following user data: first name, last name, organisation’s name, e-mail address, password.
We collect this data to ensure that our App is available to you.
If you access patient data via the App, we store this information for a limited period of time in the log files, as far as this is necessary for security purposes.
These purposes also include our legitimate interest, which justifies data processing in accordance to Art. 6 Par. 1 f) GDPR.
We only use so-called "technical cookies" in our app, which allow us to recognize you as a user with each access. Such data is not passed on to third parties.
For Apps on iOS and Android we use Google’s Firebase and Google Analytics for Mobile. User data is transmitted in an anonymized form to Google. Our Apps use identification for mobile devices, including the Google Advertising ID (“GAID”) and the ID for Advertising for iOS (“IDFA”), as well as technologies similar to cookies for the use execution of the Analytics for mobile service.
We use Firebase and Google Analytics to analyze and constantly improve the use of our Product. Through the statistics we are able to improve our service and make it more interesting for users. In those special cases in which personal data is transmitted to the USA, Google is certified via EU-US privacy shield.
If we have collected your e-mail address as part of the purchase of our services, we may send you email newsletters for our offers that are similar to the services you have already purchased from us, provided you have not objected to receiving such newsletters. The legal basis for this is § 7 Abs. 3 UWG. For example, those newsletters may include updates on new product features, additional services we propose in the field of the product you’re using or events on which updates or product demonstrations will be held.
You can object to receiving newsletters from us at any time, without any costs other than the transmission costs according to the basic tariffs (i.e. the costs of your internet provider, for example). We will inform you about the right to object when we collect your email address and in the respective newsletter.
If your personal data is processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights in relation to the controller:
You can request confirmation from the controller as to whether personal data concerning you is being processed by us.
If such processing is carried out, you may request information from the data controller about:
You have the right to request information about whether the personal data relating to you is transferred to a third country or an international organization. In this regard, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
You have the right to obtain from the data controller the rectification and/or integration of any personal data processed concerning you if it is incorrect or incomplete. The data controller shall make the correction without delay.
You may request the controller to erase your personal data without delay and the controller is obliged to erase such data without delay if one of the following grounds applies:
If the controller has made public your personal data and is obliged to delete them in accordance to Art. 17 (1) GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as a data subject, have requested them to delete all links to these personal data or copies or replications of these personal data.
The right of erasure does not exist insofar as the processing is necessary
You may request the limitation of the processing of your personal data under the following conditions:
If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction on processing has been restricted in accordance with the above conditions, the controller shall inform you before the restriction is lifted.
If you have exercised the right to rectify, erase or restrict the processing, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another person without hindrance by the controller for providing the personal data, provided that
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another controller, where technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.
You have the right to object at any time, for reasons that arise from your particular situation, against the processing of your personal data, which is carried out on the basis of Article 6 paragraph 1 letter e or f of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or the processing is for the purposes of establishing, exercising or defending legal claims.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the right to withdraw your expressed consent at any time. The consent withdrawal does not affect the legality of the processing carried out previously on the basis of the consent.
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State in which you are domiciled, place of work or place of alleged infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 of the GDPR.