Privacy Policy, Curalie App

Last updated 10/11/2022 

Your privacy is important to us. We process your personal data in various contexts if you use the Curalie app (“App”). In the process, we respect your right to data protection, your privacy, and your other rights and freedoms.

1. Controller’s name and contact details

As a basic principle, the following is the controller responsible for the data processing described in this privacy policy:

Curalie GmbH (“Curalie”) 
Leipziger Straße 61 A 
10117 Berlin, Germany 
e-mail: info@curalie.com 
Phone: +49 (0) 30 549 071 27

In addition, your personal data may also be processed by other controllers in the course of your use of the App. These controllers may be the relevant healthcare institution with which you are in treatment and that Curalie uses for the digital treatment, third-party providers of programs offered within the App, or cooperation partners.

Where your data are processed by one of these further controllers in the course of your use of the App, we will notify you accordingly in this privacy policy or in the relevant declarations of consent.

Unless expressly described otherwise in this privacy policy, Curalie, the relevant healthcare institutions, and any third-party providers of programs and cooperation partners act in the course of these activities as separate controllers in principle. You are welcome to contact Curalie on all matters concerning data protection and/or privacy.

2. Data protection officer contact details

The data protection officer can be reached at the above address, Attn.: Data Protection Officer, or at datenschutz@curalie.com.

3. Content, scope, purposes and legal bases of processing of personal data

As a basic principle, there is no contractual or statutory obligation to provide the data described below. However, please note that if you do not do so, we may not be able to provide the functions of the App, or we may be able to do so only with limitations.

3.1 Downloading the App from the app store

When you install the App, you may be required to enter into a use agreement with an app store operator (such as Google or Apple) regarding access to that operator’s portal.

This access requires a valid account with the operator of the app store and an appropriate device (such as a smartphone), and Curalie has no influence over the processing of data in conjunction with your access to and use of the app store. In this regard, the sole controller responsible for this data processing is the relevant app store operator. Please obtain information directly from the app store operator regarding the details of its processing of data.

3.2 Registering to use the App

Registration is required in order to use the App. During the registration process, identification and communication information will be processed to create a user account and authenticate you personally. This information includes:

• Last name and first name
• Sex
• Date of birth
• Country
• Mobile phone number
• e-mail address

The processing of these data serves to provide the user account and for purposes of unique identification of the user. The latter is a prerequisite for the use of the App. Smartphone verification via code sent by text message is also required for security reasons.

In addition, information on how you wish to use the App is collected in the course of the registration process. For example, you may be asked whether you plan to use the App more as a “lifestyle app” or with an eye to features that are strictly health-related. These data are processed in order to suggest specific features and content that are especially relevant to you in the App.

The data are processed on the basis of statutory provisions that permit data processing because it is necessary in order to provide the App and perform the use agreement entered into in this regard toward you as the user (point (b) of Article 6(1) GDPR) and – to the extent that health data are processed to this end – on the basis of the consent you grant during the registration process (point (a) of Article 6(1) and point (a) of Article 9(2) GDPR). This consent is necessary in order to use the App.

3.3 Health diary

The health diary is the basis for your use of the App and the services, programs, and other content offered in the App. It serves in particular to compile information on your health depending on your use of the App.

The health diary contains the following information:

The data are processed on the basis of the consent granted by you in the course of registering for the App or for the use of the relevant function (to book a video consultation, participate in supported / monitored programs, and add treating healthcare institutions), as the case may be (points (a) of Article 6(1) and (a) of Article 9(2) GDPR). The consent granted in the course of registering is required for the general use of the App, and the consent relating to specific functions is required for the use of the relevant function.

If you consent thereto, the data from your health diary may also be used by third parties, such as third-party providers of programs (see Sec. ‎0) or treating healthcare institutions (see Sec. ‎0).

3.4 Basic functions of the App, patient surveys

The App offers various base functions that you can use to record data, particularly data relating to your health. This information includes:

• the entries with which you can record and track your general health information, medical data (vital data), symptoms, and medications
• the Health-Check feature, where you can enter information on your general state of health and on specific health factors and risks relating to disease or illness in order to get tips and advice for healthy living
• the Tele-Doctor feature, which you can use to book a video consultation (see Sec. ‎0) and to prepare by filling out a medical history questionnaire and providing some information about your health for the treating physician
• the Symptom-Check feature (see Sec. ‎0)
• the document upload feature, where you can upload or take pictures of documents relating to your health

3.5 Symptom-Check

As part of the base functions of the App, you can use the “Symptom-Check” application to identify which symptoms you are experiencing, what the possible causes might be, and whether or to what extent medical care is necessary. The processing activity consists specifically of the following processing steps:

(a) Collection of information about your health

The App collects information on your health, particularly certain master data (age, sex), information on general risk factors (excess body weight, high blood pressure, smoker status, injuries, pregnancy), and your acute symptoms. At the start, the master data are accessed from your health diary. Then you answer a number of questions about your health. The first few questions concern general risk factors that are fundamentally important to your health.  The further questions concern any risk factors that may apply to you and acute symptoms you are experiencing. The questions asked are adjusted to you individually depending on what information has already been collected about you, including your responses to previous questions.

(b) Analysis of information collected

The information collected in this way about your health is automatically analyzed in the App. This is done first to select which questions to ask you. As the next step, the overall analysis aims to determine the likelihood that you are experiencing certain health-related conditions (such as illness or injury). This is then used as the basis for the final stage, in which you are shown suggestions regarding the urgency of seeking medical treatment and a possible diagnosis.

(c) Disclosure of the information from the App to treating physicians

Curalie stores the information from the App, meaning both your answers to the questions and the suggestions made on the basis of the analysis. If you book a video consultation using the App, this information may be disclosed to Helios Kliniken GmbH, which is responsible for implementing the video consultation (see Sec. ‎0), and the treating physicians / nursing staff involved in the specific case. The treating healthcare institution can use the information to prepare for the subsequent medical history discussion with you and in the context of your further treatment as well.

This processing of your data pursuant to points (a) and (b) takes place on the basis of your consent as relevant in each case (points (a) of Article 6(1) and (a) of Article 9(2) GDPR). These forms of consent are necessary in order to use the App and book a video consultation, respectively.

3.6 Video consultation

You can book a video consultation in the App via the Telemedicine Center of Helios Kliniken GmbH, Friedrichstr. 136, 10117 Berlin (“Helios”). Curalie and Helios will then process your data, including your health data, as follows:

(a) Processing within the scope of the booking process

In order to make it possible to schedule an appointment and later bill for the video consultation within the scope of the booking process, information on the appointment itself and the treating physician is processed, along with your contact information (name, e-mail, and address) and, if you have health insurance within the statutory insurance system, insurance information (insurer name and insurance number). If these data are not already stored in your health diary, they will be collected for the first time within the scope of the booking process and then stored in your health diary for future processing. Curalie is the controller responsible for this processing step under data protection law. When the appointment booking is confirmed, the data from the booking process are transferred to Helios. These data are then processed for the rest of the booking process by Helios and Curalie acting as joint controllers (Article 26 GDPR).

(b) Processing for medical preparation and implementation of the video consultation

When the video consultation is booked, Helios and/or the relevant treating physicians / nursing staff also receive access to those of your personal data that are stored in the App, including health-related data. This includes the data from your health diary (which also include data from any use of the Health-Check feature prior to booking and information from the medical history questionnaire, which you can fill out after the booking), but that is not all. It also includes any information you may have provided before booking the video consultation in the course of using the Symptom-Check feature (see Sec. ‎0). These data are then processed further by Helios for the purpose of medical preparation and implementation of the video consultation. Curalie is not responsible for providing medical advice and is not the controller responsible for processing data in this regard. Instead, Helios bears sole responsibility and is the sole controller in this respect.

(c) Processing for the technical realization of the video consultation

The technical realization of the video consultation itself takes place not in the App, but rather via a separate platform. This means it is not covered by this privacy policy. Helios bears sole responsibility and is the sole controller in this respect. More-detailed information on the relevant processing of your data is available from the separate privacy policy for the platform.

(d) Processing following a video consultation

After a video consultation, the treating physicians / nursing staff can also import data from your video consultation (particularly the information noted for purposes of documenting the consultation) and possibly data from your further treatment into the App, where these data are stored in the document upload section as part of your health diary. Curalie then processes these data as the sole controller responsible as described in Sec. ‎0 above.

In turn, your data from the App may also undergo further processing by Helios relating to subsequent treatment. The treating physicians / nursing staff may also use the chat and calendar functions of the App for later coordination and communication with you or use the document upload feature to upload documents from the video consultation or your other treatment; in this case, your personal data (calendar entries, chat messages, content of the documents) will be processed as well.

3.7 Participation in programs

You can use the App to participate in programs offered to you by Curalie or third parties. Depending on the program, participation may be possible only with the involvement of your treating healthcare institution and the physicians / nursing staff who work there, or it may be possible to participate even without this kind of connection.

Unique identification of the user and entry of an activation code that unlocks the desired program with the further modules may also be required for security reasons.

To participate in programs with the involvement of your treating healthcare institution and the physicians / nursing staff who work there, you may need to consent separately to the processing of your health data for purposes of implementing the program and to these health data being added to your health diary and stored there, depending on the program. Which health data are processed in the specific case depends on the program in which you wish to participate (see Sec. ‎0 below). In general, these data are processed in order to allow you to participate in the program and enable the implementation of the program, along with evaluation and billing.

This processing of your health data takes place on the basis of the consent you have granted in the course of registering for a program in each case (points (a) of Article 6(1) and (a) of Article 9(2) GDPR). This consent is necessary in order to use the relevant program.

(a) Controllers / recipients of data

Where you make use of a program offered by Curalie, Curalie is the controller responsible under data protection law for the processing of your personal data for the purpose of providing the program to you.

In the case of third-party provider programs, the relevant third-party provider is the controller responsible under data protection law for the processing of your personal data for the purpose of providing the program to you. If you decide to make use of the program in question, the third-party provider receives access to your health diary and the data concerning you that are collected within the scope of the program. The identity and contact information of the third-party provider responsible as the controller in the specific case are stored in the relevant program description; furthermore, the provider’s identity is stated in the specific declaration of consent that you are required to issue when registering for the program.

Some programs are recommended or prescribed for you by your healthcare institution (or the physicians / nursing staff who work there). If you decide to make use of the program in question and add the healthcare institution, the healthcare institution and the physicians / nursing staff who work there receive access to your health diary and the data concerning you that are collected within the scope of the program. They may also use the chat and calendar functions of the App to coordinate and communicate with you; in this case, your personal data (calendar entries, chat messages) will be processed as well. The healthcare institution is the controller responsible under data protection law for all instances of access to and any subsequent processing of your data. This also applies to information that the healthcare institution may collect regarding you within the scope of implementing the program, depending on the program. For means of contacting your treating healthcare institution, please see the healthcare institution’s data protection and privacy information.

Health data arising from program participation are stored in turn in your health diary. This may also include data for which a third-party provider or a supporting / monitoring healthcare institution is responsible as the controller under data protection law. In this case, however, Curalie is always the controller responsible for further processing for the purposes mentioned in Sec. Fehler! Verweisquelle konnte nicht gefunden werden..

Programs may be developed and offered in cooperation with further partners. In such cases, we or the third-party provider may share your data with these cooperation partners in pseudonymized or anonymous form. The identity and contact information of the specific cooperation partners are stored in the relevant program description.

(b) Programs offered

The following programs are currently offered:

(i) Free programs

The “free” programs are available to all users of the App for activation in the programs section of the App. These informational and prevention programs serve to help people maintain their health, live a healthy lifestyle, and cope with common illnesses and diseases. They can be used without linking to a healthcare institution.

Depending on the program, the user is provided with various content having to do with the topic of health, including things like informational articles, physical activities / relaxation exercises, and recipes. In principle, App users only consume content within the scope of the free programs; no collection of program-specific data occurs beyond that. In individual cases, symptoms may be recorded as well, as described in Sec. 3.4 above. Data may also be collected via patient questionnaires known as PROMs; on this point, also see Sec. 3.4 above.

(ii) Surgery Companion

The Surgery Companion (available for various indications) is a program that prepares patients for an upcoming surgery and provides support during and after the patient’s time in the hospital.

To activate a program in the App, the patient is asked to enter an activation code provided by the treating healthcare institution.

The program then uses the App to provide patients with structured content, which may vary according to the amount of time remaining before the date of surgery (informational articles, physical activities and relaxation exercises, and patient questionnaires) to prepare for, support, and follow up after the surgery or after the patient’s time in the hospital.

(iii) Guide (Pro) / (Connect)

The Guide (available for various indications) provides patient education on the causes and effects of a disease or medical condition and the potential treatment options and helps patients to manage their health issue and adopt and maintain a healthy lifestyle. This program can be used while a patient is in the hospital and from home afterward, as part of daily life.

To activate a program in the App, the patient is asked to enter an activation code provided by the treating healthcare institution.

During the program, the patient is provided with information in the App about the disease or condition and, depending on the indication, may also receive information on things like physical activities and relaxation exercises and recipes.

With the “Guide Pro,” patients can also participate in patient surveys. PROMs (patient-reported outcome measures) can be used to measure factors such as the patient’s personal progress/success in the program, for example in relation to quality of life or pain level.

The “Guide Connect” feature can support patients who also have a device to control or monitor heart rhythm and are receiving care from the Telemedicine Center.

(iv) PROMs (Survey Kit)

PROMs (Survey Kit) is a program that serves for quality assurance at hospitals/healthcare institutions. The Survey Kit can be used to conduct medical surveys on what are known as patient-reported outcome measures (PROMs), which permit conclusions regarding factors such as health-related quality of life or a patient’s disease-specific symptom burden. Other forms of surveys, such as patient-reported experiences (PREs), are also possible.

To activate a program in the App, the patient is asked to enter an activation code provided by the treating healthcare institution.

During the program, patients respond to questionnaires via the App. The results of the survey are displayed for the healthcare institution on the Curalie Portal. Through data visualization, the treating physician or therapist can check the course or success of the patient’s treatment.

All of the programs mentioned in points (i) through (iv) above are offered by Curalie. Therefore, Curalie is also the controller responsible for the processing of personal data within the scope of program implementation.

3.8 Adding treating healthcare institutions

You can add healthcare institutions with which you are already in treatment as treating healthcare institutions in the App. When you do this, the healthcare institution can support and monitor your participation in programs in the App (on this point, see Sec. ‎0 above) and can also use the App as part of your other treatment. To this end, the healthcare institution and/or the physicians / nursing staff who work there receive access to your health diary and the data stored there. In turn, the healthcare institution and/or the physicians / nursing staff who work there can also add data to your health diary and store this information there.

3.9 Use data

We also process use data every time the App is accessed. This includes but is not limited to the following data:

• Device’s current language settings
• Information on the user’s Internet service provider
• IP (Internet Protocol) address of the device accessing the App
• Date and time of retrieval
• Device ID (e.g., UDID, to identify your device or devices as part of secure authentication)
• User ID on the Curalie platform
• Session ID number

We erase or anonymize the use data, including the IP addresses, without undue delay as soon as they are no longer needed for the aforementioned purposes.

In addition, the following user data are stored in the login data sets for a maximum of seven days each time a user logs in for purposes of identifying and investigating abuse:

• Date and time of login
• User ID on the Curalie platform.

The data are processed on the basis of statutory provisions that permit the data processing because it is necessary in order to provide the App to you in technical terms (point (b) of Article 6(1) GDPR) or because we have a legitimate interest in ensuring the security and functionality of the App and the proper use thereof, without there being an overriding interest on the part of the data subject that conflicts with this (point (f) of Article 6(1) GDPR).

3.10 Data processing for customer support

If you contact us as a customer in case of problems or questions, we process your contact details (particularly your name, e-mail address, and mobile phone number) to be able to respond to your concern. To this end, we store and process your data.

In this case, your personal data are processed on the basis of point (f) of Article 6(1) GDPR because we have a legitimate interest in supporting our customers in using our products and being able to offer them support and – to the extent that health data are processed to this end – on the basis of the consent granted by you in the course of registration (points (a) of Article 6(1) and (a) of Article 9(2) GDPR). This consent is necessary in order to use the App.

3.11 Improvements to the App and programs

If you have granted us your separate consent to this, we moreover use your data to improve the features of the App and further develop it to be more user-friendly or more advanced from a medical standpoint (points (a) of Article 6(1) and (a) of Article 9(2) GDPR). This also serves the purpose of ensuring secure provision of the App in the long term. Beyond that, the data may be used to evaluate and improve programs, including as they interact with each other.

3.12 Use analysis

We analyze data aggregated across all users on the manner in which the App is used (e.g., frequency of use of individual features, issues with user guidance, etc.). We use only technologies operated by Curalie to analyze these use data. These data are processed on the basis of statutory provisions that permit the processing of data because we have a legitimate interest in better understanding the use of the service, without there being an overriding interest on the part of the data subject that conflicts with this (point (f) of Article 6(1) GDPR). Your health data are not affected by this.

4. Possible recipients of your data

In addition to the other circumstances mentioned in this privacy policy, your personal data are disclosed without your express prior consent only in the following cases:

4.1 Employees of Curalie

The primary recipients of your data are the employees of Curalie. All employees have undertaken an obligation to maintain confidentiality and the secrecy of your data.

4.2 Providers of functions in the App

In addition to the programs described above, certain further functions may be offered by third parties in the App. If you use these functions, we will share your data with the relevant provider of the function, but only if you have granted express prior consent separately to the processing of your data in conjunction with the function in question.

4.3 Law enforcement agencies and injured third parties; further government agencies

If necessary to investigate an unlawful or abusive use of the service or for purposes of asserting rights, personal data may be forwarded to law enforcement agencies and, where applicable, to injured third parties. However, this takes place only if and when there are concrete indications of unlawful or abusive behavior. Disclosure may also occur if this serves to enforce terms of use or other agreements. Our legitimate interest in data processing in this case lies in ensuring the proper functioning of our website and the service and, where applicable, establishing, exercising, or defending against legal claims (point (f) of Article 6 (1) GDPR).

We may also be legally obligated to provide information in response to inquiries from certain public bodies, such as law enforcement agencies, government agencies that impose fines for regulatory offenses, and fiscal authorities (point (c) of Article 6(1) GDPR).

4.4 Service providers as processors

To provide the functions of the Internet site as described in this privacy policy, we occasionally rely on third-party companies and external services providers, which may be based outside the EU or the EEA, for example for our customer service or to host our services. We select these external service providers carefully and review them regularly to ensure that your privacy is safeguarded, and they are not permitted to use the data except for the purposes stipulated by us. They moreover undertake a contractual obligation toward us to treat your data exclusively in accordance with this privacy policy and EU data protection and privacy laws. Where the matter concerns a body outside the EU or the EEA, we ensure an appropriate level of data protection.

4.5 Affiliates / corporate transformations

As our business evolves, the structure of our company may change in that we change our legal form or establish, acquire, or sell subsidiaries or parts or elements of our company. In the case of transactions like these, we may disclose your data together with the part of the company that is being transferred. Each time we disclose personal data to third parties within the scope described above, we ensure that this takes place in compliance with this privacy policy and the relevant data protection and privacy laws.

5. Your rights as a data subject

As a data subject whose personal data are being processed, you have the following rights in particular:

• Right of access to information: You have the right to access information on the personal data concerning you.
• Right of rectification: You have the right to have inaccurate personal data concerning you rectified or incomplete personal data concerning you completed.
• Right of erasure: You can also obtain from us the erasure of your personal data, for example if your data are no longer required for the purposes for which they were collected or otherwise processed.
• Right to restriction of processing: You have the right to obtain from us the restriction of processing of your personal data; in such a case, the data will be blocked from any and all processing. This right applies in particular if there is any dispute between us concerning the accuracy of the personal data.
• Withdrawal of consent: You have the right to withdraw your consent at any time – for example via the contact channels mentioned in Sec. ‎0 and ‎0 above – with effect for the future. Should you wish to exercise this right, please note that the lawfulness of data processing that has already occurred prior to the withdrawal of consent is not affected. In addition, if you withdraw consent, certain features of the App may be unavailable, or you may be unable to use the App or participate in programs at all.

Withdrawal of consent to a video consultation or to participate in certain programs results in the relevant healthcare institution and, where applicable, third-party provider of the program no longer having any access to your data. In the event of withdrawal of consent, we will ask you separately whether you also wish us to remove the relevant health data concerning you from the program from your health diary.

• Right to data portability: Where we process your personal data to perform a contract with you or on the basis of your consent, you also have the right to receive your personal data in a structured, commonly used and machine-readable format to the extent that you have provided the data to us.
• Right to object: Furthermore, you can object to the processing of data for reasons arising from your particular situation. However, this applies only in cases in which we process data to fulfill a legitimate interest of Curalie or a third party. If you can present that there is such a reason and we cannot assert any compelling legitimate interest in continuing the processing, we will no longer process these data for the purpose in question.

If you wish to assert any of your rights as a data subject with regard to personal data processed under our responsibility as the controller or have any questions regarding data protection and/or privacy within our organization, you can contact us using the contact channels mentioned in Sec. ‎0 and ‎0 above. After your inquiry has been answered conclusively, we will erase your inquiry three years after the end of the relevant calendar year.

In the event that you wish to assert your rights as a data subject toward third-party providers or cooperation partners, you can contact these entities at any time to do so. For means of contacting your healthcare institution, please see the healthcare institution’s data protection and privacy information.

Finally, you have the right to lodge a complaint with a data protection supervisory authority concerning our processing of personal data. The supervisory authority with jurisdiction over Curalie is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin, phone: +49 (0)30 13889 0.

6. Duration of storage of data

Unless otherwise described in this privacy policy, we erase personal data in principle when the purpose for storage thereof no longer applies. There may be an ongoing purpose, in particular, if the data are still needed in order to provide contractual services or to be able to review and abide by or defend against warranty and, where applicable, guarantee claims. Subject to statutory or contractual obligations of retention, we erase data processed on the basis of consent in principle as soon as you withdraw the relevant consent. We check at regular intervals whether the purpose of storage has ceased to apply or retention remains necessary.

In the case of statutory retention obligations, which may apply for a period of up to 30 years in the case of health data, erasure does not enter into consideration until after the relevant retention period has elapsed. In this case, we archive the data and restrict the further processing.

7. Updates

We reserve the right to adjust the content of this privacy policy at any time. This typically occurs when the services used are further developed or adjusted. You can view the current privacy policy in the App.