imitoWound Privacy Policy

    Controller

    The Controller in accordance with the relevant data protection regulations is imito AG (hereinafter referred to as "Provider"). For details on the summonable address and authorized representation, please refer to the imprint.

    Scope Of The Application

    For us, the protection of personal data has the highest priority. Therefore, we would like to inform you at this point about which data we collect and when and how we handle your personal data. This privacy policy describes the collection and use of personal data when using our apps, regardless of the type of device and operating system (hereinafter, collectively: "App").

    General Information On Data Processing

    Scope of the processing of personal data

    We process personal data only to the extent necessary to provide a functional app. The processing of personal data takes place regularly only with the consent of the data subject or on the basis of other legal provisions that permit data processing. 

    A distinction must be made between two categories of personal data:

    • personal data of the App users (e.g. physicians, nurses, wound specialists in small practices or independant practice, etc.) - (hereinafter referred to as "user data")
    • personal data of third parties (e.g. patients), which, depending on the agreement with the controller, are integrated into the App either manually or automatically by users - (hereinafter referred to as "patient data").

    Patient data also includes personal data of a special category in accordance with Art. 9 GDPR (hereinafter "sensitive data").

    Legal Basis For The Processing Of Personal Data

    Unless otherwise stipulated elsewhere, the following applies to the legal basis for data processing:

    Legal basis for the processing of user data

    In order to use our App and the services provided through it, you enter into a contract with us by accepting our terms and conditions. We collect and process your personal data for the purpose of fulfilling the contract in accordance to Art. 6 para. 1 b) GDPR. 

    In addition, we process personal data: as far as this is necessary to fulfill a legal obligation, which we are subject to, in accordance to Art. 6 para. 1 lit. c) GDPR; insofar as this is necessary to safeguard the legitimate interests of our company or a third party and does not outweigh the interests, fundamental rights and fundamental freedoms of the person concerned, in accordance to Art. Art. 6 para. 1 f) GDPR. 

    Legal basis for processing patient data

    We do not collect patient data. You may only integrate patient data into our App on a suitable legal basis, regardless of whether this is done manually or automatically. The legal basis for the processing of personal data is, among others, from Art. 6 GDPR “Necessary for the performance of the contract” and “Legitimate interests” and, with regard to the processing of personal data of a special category, Art. 9 GDPR “Research Purpose”. If the consent of the data subject is required, you must obtain it. Furthermore, you are obliged, among other things, to inform the data subjects whose data you integrate into our app, in accordance with. Art. 13 - 14 GDPR.

    We process patient data mainly as a processor based on the basis of the agreement concluded with you pursuant to Art. 28 GDPR.

    Data Deletion And Storage Period

    In principle, unless otherwise stated, your personal data will only be stored until the purpose of the collection and storage no longer applies. In accordance with your consent, data may also be stored for longer, as long as you do not withdraw your consent.

    Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we are subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.

    In the event of termination - for whatever reason - of the contract between the user and the provider, the provider shall keep all content, information and (personal) data uploaded by the user available for retrieval by the user for a further 60 days after termination. After expiry of this period, the aforementioned content will be irrevocably deleted or anonymized in accordance with data protection regulations.

    Transfer To Third Countries

    Unless otherwise stated, all data processing takes place within the EU, the EEA countries or in Switzerland. The data transmission to Switzerland, as well as the data processing in Switzerland, are based on the appropriateness decision of the European Commission  2000/518 / EC. 

    Data processing operations that are carried out via third party providers established outside of the geographical area upon mentioned can be carried out partially or completely in the countries of the respective branch or according to the respective data protection regulations.

    A transfer of personal data outside the EU or the EEA will only take place on the basis of an adequacy decision of the European Commission, including the EU-US or US-Swiss Privacy Shield adequacy decision, or in accordance with standard contractual clauses of the European Commission.

    Data Usage When Using The App

    When you register within the app, we collect the following user data: first name, last name, organisation’s name, e-mail address, password. 

    We collect this data to ensure that our App is available to you. 

    If you access patient data via the App, we store this information for a limited period of time in the log files, as far as this is necessary for security purposes.

    These purposes also include our legitimate interest, which justifies data processing in accordance to Art. 6 Par. 1 f) GDPR.

    Use Of Cookies

    We only use so-called "technical cookies" in our app, which allow us to recognize you as a user with each access. Such data is not passed on to third parties.

    Firebase & Google Analytics for Mobile

    For Apps on iOS and Android we use Google’s Firebase and Google Analytics for Mobile. User data is transmitted in an anonymized form to Google. Our Apps use identification for mobile devices, including the Google Advertising ID (“GAID”) and the ID for Advertising for iOS (“IDFA”), as well as technologies similar to cookies for the use execution of the Analytics for mobile service.

    We use Firebase and Google Analytics to analyze and constantly improve the use of our Product. Through the statistics we are able to improve our service and make it more interesting for users. In those special cases in which personal data is transmitted to the USA, Google is certified via EU-US privacy shield.

    Newsletter

    If we have collected your e-mail address as part of the purchase of our services, we may send you email newsletters for our offers that are similar to the services you have already purchased from us, provided you have not objected to receiving such newsletters. The legal basis for this is § 7 Abs. 3 UWG. For example, those newsletters may include updates on new product features, additional services we propose in the field of the product you’re using or events on which updates or product demonstrations will be held.

    You can object to receiving newsletters from us at any time, without any costs other than the transmission costs according to the basic tariffs (i.e. the costs of your internet provider, for example). We will inform you about the right to object when we collect your email address and in the respective newsletter.

    Rights Of The Data Subject

    If your personal data is processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights in relation to the controller:

    Right Of Access To Information

    You can request confirmation from the controller as to whether personal data concerning you is being processed by us. 

    If such processing is carried out, you may request information from the data controller about:

    • the purposes for which the personal data is processed
    • the categories of personal data which are processed;
    • the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
    • the planned duration of storage of your personal data or, if it is not possible to give specific details, criteria for determining the duration of storage;
    • the existence of a right of rectification or erasure of personal data concerning you, a right to have the processing limited by the controller or a right to object to such processing; 
    • the existence of a right of complain to a supervisory authority;
    • all available information on the source of the data if the personal data are not collected from the data subject;
    • the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.

    You have the right to request information about whether the personal data relating to you is transferred to a third country or an international organization. In this regard, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

    Right To Rectification 

    You have the right to obtain from the data controller the rectification and/or integration of any personal data processed concerning you if it is incorrect or incomplete. The data controller shall make the correction without delay.

    Right To Erasure (Right To Be Forgotten)

    Obligation To Erase

    You may request the controller to erase your personal data without delay and the controller is obliged to erase such data without delay if one of the following grounds applies:

    • the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed
    • you withdraw your consent on which the processing was based pursuant to Art. 6(1) point (a) or Art. 9 (2) point (a) GDPR and where there is no other legal ground for the processing. 
    • you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR. 
    • your personal data concerning you has been processed unlawfully. 
    • the erasure of your personal data is necessary to comply with a legal obligation in Union or Member State law to which the controller is subject. 
    • your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

    Information To Third Parties

    If the controller has made public your personal data and is obliged to delete them in accordance to Art. 17 (1) GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as a data subject, have requested them to delete all links to these personal data or copies or replications of these personal data. 

    Exceptions

    The right of erasure does not exist insofar as the processing is necessary

    • to exercise the right of freedom of expression and information;
    • to fulfill a legal obligation which requires processing in Union or Member State law to which the controller is subject or for the performance of a task of public interest or in the exercise of official authority vested in the controller;
    • for reasons of public interest in the area of public health pursuant to Art. 9 (2) points h and i and Art. 9 (3) GDPR;
    • for archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance to Article 89 (1) GDPR, in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • to establish, exercise or defend legal claims.

    Right To Restriction Of Processing

    You may request the limitation of the processing of your personal data under the following conditions:

    • if you contest the accuracy of your personal data for a period of time that enables the controller to verify the accuracy of the personal data;
    • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead;
    • the controller no longer needs the personal data for the purposes of processing, but you need them to establish, exercise or defend legal claims, or
    • if you have objected to processing pursuant to Art. 21 (1) GDPR and it is not yet clear whether the legitimate interests of the controller override yours.

    If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

    If the restriction on processing has been restricted in accordance with the above conditions, the controller shall inform you before the restriction is lifted.

    Right To Be Informed

    If you have exercised the right to rectify, erase or restrict the processing, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort.

    You have the right to be informed of these recipients by the controller.

    Right To Data Portability

    You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another person without hindrance by the controller for providing the personal data, provided that

    • the processing is based on consent pursuant to Art. 6 (1) point (a) GDPR or Art. 9 (2) point (a) GDPR or on a contract pursuant to Art. 6 (1) point (b) GDPR and 
    • the processing is carried out by automated means.

    In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another controller, where technically feasible. The freedoms and rights of other persons must not be affected by this.

    The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.

    Right To Object

    You have the right to object at any time, for reasons that arise from your particular situation, against the processing of your personal data, which is carried out on the basis of Article 6 paragraph 1 letter e or f of the GDPR; this also applies to profiling based on these provisions. 

    The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or the processing is for the purposes of establishing, exercising or defending legal claims.

    If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

    Right To Withdraw Consent

    You have the right to withdraw your expressed consent at any time. The consent withdrawal does not affect the legality of the processing carried out previously on the basis of the consent.

    Right To Complain To A Supervisory Authority

    Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State in which you are domiciled, place of work or place of alleged infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR. 

    The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 of the GDPR.

    Changes To This Privacy Policy

    Due to the dynamic development of the Internet, new technologies and opportunities are constantly evolving. In order to allow you to enjoy these opportunities and technologies as well, we reserve the right to change this privacy policy for the future when introducing new, additional, or changing or extending existing services or service elements.

    A change of the privacy policy, which refers to the use of the already collected data, takes place only if this is reasonable for you. If and to the extent that changes to the privacy policy relate to the use of the data already collected, we will notify you in good time by email, on our App or in any other form. If no objection occurs within the specified period, the amended privacy policy shall be deemed to have been accepted by you. In the notification we will inform you of your right of objection and the significance of the objection period.