Data Protection Declaration Curalie App

Stand: 28/10/2021

Your privacy is important to us. We process your personal data in various contexts when you use the Curalie App (“App”). We thereby respect your right to data protection, your privacy and your other rights and freedoms. According to Art. 12 ff. of the General Data Protection Regulation (GDPR) you have a right to be informed by us about the processing of your personal data. Please therefore take a few moments of your time to read this Data Protection Declaration carefully.

1 Name and Contact Data of the Entity responsible for Processing

As a general rule, the entity responsible for the data processing described in the context of this Data Protection Declaration is:

Curalie GmbH
Leipziger Straße 61 A
D10117 Berlin,
E-mail: info@curalie.com
Telephone: +49 (0) 30 549 071 27   

In addition, your personal data may, in the course of your use of the App, also be processed by other responsible entities. These may be either the respective healthcare facility from which you are receiving treatment and which uses Curalie for digital therapy, third party providers of Programmes offered within the App or cooperation partners.

Insofar as your data, in the course of your use of the App, are processed by one of these other responsible entities, we shall, in the context of this Data Protection Declaration, accordingly be drawing your attention to the relevant data processing procedures.

Unless otherwise explicitly stated in this Data Protection Declaration, Curalie GmbH, the respective healthcare facilities, any third party providers of Programmes and cooperation partners thereby act as a general rule as separately responsible entities. You are welcome to approach Curalie GmbH in all matters connected with data protection. We will be glad to assist you in all of your questions.

2 Contact Data of the Data Protection Officer

Our data protection officer is available at the above address, attn. Data Protection Officer, or by mail at datenschutz@curalie.com .

3 Content, Extent, Purpose and Legal Bases for the Processing of Personal Data

Generally speaking, there is no contractual or legal obligation to provide any of the data described in the following. Please note, however, that we may otherwise not be able to provide you with the functions of the App, or only to do so to a limited extent.

3.1 Downloading the App in the App-Store

When you install the App, it may be necessary that you should conclude with an App Store operator (e.g. Google or Apple) a usage agreement pertaining to access to the latter’s portal.

This access presupposes a valid account with the operator of the App Store and an appropriate terminal device (e.g. smart phone) and Curalie does not have any influence upon the data processing in the context of access to and use of the App Store. Such data processing is in this respect the sole responsibility of the respective App Store operator. Please inform yourself directly from the App Store operator regarding the details of its data processing.

3.2 Registration for Use of the App

Use of the App requires registration. When registering, identification and communication data for the creation of a User Account and the authentication of the person will be processed. These include:

  • Name and First Name,
  • Gender,
  • Date of Birth,
  • County,
  • Mobile Phone Number.

To this extent, data processing serves the purpose of supplying the User Account as well as the clear identification of the User. The latter is a prerequisite for use of the App. For safety reasons, smart phone verification by means of an SMS Code is also required.

The processing of the data is effected on the basis of statutory regulations that permit data processing as this is necessary for the provision of the App as well as for the fulfilment of the contract of use concluded about this with the User (Art. 6 Para. 1 lit. b GDPR) as well as – insofar as health-related data are processed to this end – on the basis of the consent granted by the User (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). This consent is necessary for use of the App.

3.3 Curalie Identity and Collecting of Data relating to your Health

The basis for use of the App is your personal Curalie Identity. This is your digital User Account within the Curalie world that enables you to avail yourself of the App and the services, Programmes and other contents offered therein as well as to merge information about your health according to the use you make of the App.

The Curalie Identity consists of the master data you supplied in the context of registering for the App (cf. Section 3.2), the totality of the health-related data collected in the context of your use of the App including the vital parameters entered by you and statements that you make in the context of patient surveys (cf. below in each case) plus information from Programmes in which you have participated (cf. Section 3.4).

Using the App you may enter certain key vital parameters yourself; these include:

  • Height and weight
  • Waist size
  • Blood pressure and pulse rate
  • Blood sugar rate
  • Steps and Activity
  • Medication
  • Symptoms

You may furthermore, via the App, participate in patient surveys, particularly in the form of patient questionnaires for the purpose of collecting data about your symptoms and quality of life, so-called PROMs (Patient-Reported Outcome Measures). The data from these surveys will be used both in order to measure your own personal progress as well as – inasmuch as you have submitted your separate declaration of consent hereto – to analyse the effectiveness of individual Programmes or of the App as a whole.

The processing of the data is effected on the basis of the consent granted by you in the context of registering for the App (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). This consent is necessary for use of the App.

3.4 Tele-Doctor

In the context of the basic functions of the Curalie App, you have the option of permitting your symptoms to be collected and analysed using the application “Tele-Doctor”, in order to ascertain a possible need for treatment and, where appropriate, to support the process of booking a video consultancy session. The processing consists in detail of the following steps:

(a) Collection of Information about your Health

The application collects information about your health, especially details about your person, your medical history and your acute symptoms.

To begin with, some general information about you, for example your age and gender, are recalled from your Curalie Identity.

Thereafter you answer a number of questions about your health, specifically regarding any risk factors that might be given in your case and any acute symptoms from which you are suffering. The questions asked will thereby be adapted to suit you individually, depending upon the information already collected about you, including your answers to questions already asked.

(b) Analysis of the Information collected

The information concerning your health collected in this way will be automatically analysed in the application. This initially serves the purpose of determining which questions you will be asked. Thereafter, on the basis of the overall analysis, the likelihood is to be ascertained whether certain conditions relevant to your health (such as illnesses or injuries) are given in your case. Finally, proposals as to the urgency of your medical treatment and a possible diagnosis based upon this will be displayed to you.

(c) Forwarding of Information from the Application to Doctors administering treatment

Curalie stores the information from the application, i.e. both your answers to the questions and the proposals made on the basis of the analysis. Should you book a video consultancy session after using the application, the information will be forwarded to the doctor administering treatment. The doctor may use this information to prepare the subsequent anamnesis interview with you as well as in the course of your further treatment.

(d) Improvement of the Accuracy of the Application

By selecting this field you may grant your separate consent that Curalie shall also be permitted to process the information from the application, i.e. both your answers to the questions and the proposals made on the basis of the analysis, for the purpose of improving the accuracy of the application.

The processing of your data in the context of this application is effected on the basis of your consent granted when you started the application for the very first time (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). Consent to the processing described in points (a) to (c) above is necessary for use of the application, whereas your consent to the processing described in point (d) above is optional.

3.5 Participation in Programmes

Using your Curalie Identity you may avail yourself of Programmes – where applicable, with the involvement of the treating healthcare facility (“Provider”) and the doctors / nursing staff working there or without any such involvement – that are offered to you by Curalie GmbH or third parties via the App.

In order to be able to use further functionalities of the App, in particular to participate in Programmes offered in the App, the clear identification of the User and the entry of a so-called Activation Code that activates the desired Programme with its further modules may be necessary for security reasons.

When participating in such Programmes, you must, for each Programme, separately grant your consent to the processing of your health-related data for the purpose of implementing the respective Programme and the adding of said health-related data to your Curalie Identity. Which health-related data are processed in a specific case depends upon the respective Programme in which you wish to participate (cf. Section (b) below). Generally speaking, these data will be processed in order to enable your participation in the Programme and the implementation thereof as well as its evaluation and settlement.

The processing of your health-related data is effected on the consent granted by you in each case when registering for a Programme (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). This consent is necessary in order to avail oneself of the respective Programme.

(a) Responsible Entity / Recipient

Insofar as you should avail yourself of a Programme that is offered by Curalie GmbH, Curalie GmbH is responsible to you under data protection law for the processing of your personal data for the purpose of implementing that Programme.

In the case of Programmes offered by third parties it is the respective provider that is responsible to you under data protection law for the processing of your personal data for the purpose of implementing that Programme. Insofar as you should decide to avail yourself of the respective Programme, the third-party provider shall be granted access to your Curalie Identity and to your data collected in the context of the Programme. The identity and contact data of the third-party provider responsible in the individual case are to be found in the respective Programme description; furthermore, their identities are stated in the declaration of consent required from you when registering for the Programme.

The deployment of a Programme will, as a general rule, be recommended or prescribed for you by the Provider (or the doctors / nursing staff working there). Insofar as you should decide to avail yourself of the respective Programme and consent, in the registration process, to data processing by the Provider and the doctors / nursing staff working there, the latter shall be granted access to your Curalie Identity and to your data collected in the context of the Programme. The Provider is responsible under data protection law for each and every recall of your data and the subsequent processing thereof. This also applies to any information which the Provider – depending upon the Programme – might possibly collect and enter in the App about you for the first time in the context of implementing the Programme. The relevant possibilities of contacting the healthcare facility treating you are to be gathered from the data protection information of the Provider.

Health-related data that are processed in the context of these Programmes will in their turn be stored in your Curalie Identity. Curalie GmbH is responsible for such additions and for further processing for the purposes indicated in Section 3.3.

Programmes may be developed and offered in cooperation with other partners. In such cases, we or the third party provider may, under certain circumstances, forward your data to those cooperation partners under pseudonyms or anonymously. The identities and contact data of the respective cooperation are to be found in the respective Programme description; furthermore, their identities have been incorporated in the declaration of consent required from you when registering for the Programme.

(b) Programmes Offered

Currently, the following Programmes are being offered:

(i) HAYA

“HAYA” is a digital support Programme for cancer patients, doctors and members of the nursing staff that offers you information and at the same time acts as a communication and data exchange platform between doctor, patient and nursing staff.

In the context of this Programme, the Provider and the doctors / nursing staff working there may, via a web portal, assign individually to the patient information materials (pertaining, for example, to their diagnosis, therapy, support under social legislation), which the latter may recall and consume via the App.

Over the course of an illness, various other data relevant to the patient will also be collected. These blocks cover the anamnesis (a once-only determination of the status quo of the patient upon entering the Programme), the therapy protocol (in which the progress of the illness is recorded by the doctor) and patient questionnaires (e.g. for establishing symptoms and the quality of life).

There is furthermore the option that patient and health coach (this may be the doctor him-/herself or an assistant appointed for that purpose, e.g. a member of the nursing staff) may communicate via the chat function.

“HAYA” is offered by Curalie GmbH. Curalie GmbH is therefore also responsible for the processing of personal data in the context of implementing the Programme.

(ii) OP-Attendant

The “OP-Attendant” (available for a number of indications) is a Programme that prepares patients for forthcoming operations and supports them both during their stay in the clinic and thereafter.

In the context of this Programme the patient is organised via the App, depending upon the timeframe all the way through to the date of their operation, and sent various contents (information materials, movement and relaxation exercises and patient questionnaires) for the preparation, accompaniment and follow-up of the OP or stay in the clinic.

The “OP-Attendant” is offered by Curalie GmbH. Curalie GmbH is therefore also responsible for the processing of personal data in the context of implementing the Programme.

(iii) Heart-Rehab Follow-up Care

The digital “Heart-Rehab Follow-up Care” follows directly after the in situ rehabilitation measure and supports cardiology patients in the pursuit from home of therapeutic aims not yet achieved.

The Programme is oriented towards the concept of the German State Pension Insurance scheme (DRV) and pursues a multimodal therapeutic approach involving movement and relaxation units plus multimedia elements with the most significant health-related contents, including for example sport exercises or even educational and relaxation exercises that are played off to the patient via the App.

The Provider and the doctors / nursing staff working there are able to track the progress made by the patient in the Programme via the web portal and, in this context, to study the results from the patient questionnaire and the data showing the course of the therapy. Furthermore, the option of communication between the person administering treatment and the patient via the chat function is also given.

The “Heart-Rehab Follow-up Care” is offered by Curalie GmbH. Curalie GmbH is therefore also responsible for the processing of personal data in the context of implementing the Programme.

(iv) Guide (Pro) / (Connect)

The “Guide” (available for a number of indications) enlightens the patient as to the causes, therapeutic possibilities and consequences of the illness and supports them in their illness management and the putting into practice of a healthy lifestyle. The Programme may be used both during the stay in the clinic and in everyday life at home thereafter.

In the context of the Programmes the patient will be sent via the media library in the App information about the illness, movement exercises (in 3 different degrees of intensity), relaxation exercises and prescriptions. In the cases of some indications, the patient, during the first few weeks after commencement of the Programme, will be sent weekly tasks intended to motivate the patient to use the App.

By way of the “Guide Pro”, patients may also participate in patient surveys. By way of the so-called PROMs (Patient-Reported Outcome Measures), it is possible, among other things, to measure the personal progress / success of the patient in the course of the Programme, for example with regard to their quality of life or pain level.

The “Guide Connect” can be used to accompany patients who are also wearing a device for cardiac rhythm control or monitoring and are being cared for by the tele-medical center.

The “Guide (Pro)” is offered by Curalie GmbH. Curalie GmbH is therefore also responsible for the processing of personal data in the context of implementing the Programme.

3.6 Analysis Functionalities

On the basis of all health-related data stored in your Curalie Identity, the App permanently carries out data analyses. The App hereby algorithmically determines the likelihood that certain health-relevant conditions might to arise in your case or whether specific therapeutic possibilities are given and makes, on this basis, appropriate proposals for action in order to support you and the doctors administering your treatment, to whom you have granted access to your Curalie Identity, in matters of diagnosis, treatment and prevention.

In order that an adequate data basis for the analysis algorithms might be available to all Users of the App, your personal health-related data will also be anonymised and further processed in that form.

The processing of the data is effected on the basis of the consent which you, if appropriate, granted in the context of registering for the App (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). This consent is not necessary for use of the App.

These analysis functionalities are neither general medical or doctor’s consultancy sessions or treatments nor psychotherapies. Neither are they substitutes for examination or treatment from a healthcare facility. The Provider itself decides in every individual case and for each individual User upon the specific measures and specific therapy for the respective User. The User freely decides which measures and therapies they wish to avail themselves of.

3.7 Usage Data

We also process usage data subsequent to each recourse made to the App. This covers the following data in particular:

  • The current language setting of the terminal device,
  • Information pertaining to the internet service provider of the User,
  • IP Address (Internet Protocol Address) of the accessing terminal device,
  • Date and time of the recall,
  • Device ID (e.g. UDID, for the identification of your device(s) in the context of certain authentication),
  • User recognition on the Curalie Platform,
  • Session identification number

We delete or render anonymous the usage data including the IP addresses immediately, as soon as they are no longer required for the aforementioned purposes.

Furthermore, whenever a User logs in, the following User data will be stored in the Log-in data sentences for a maximum of 7 days for the purposes of recognising and persecuting misuse:

  • Date and time of the log-in,
  • User recognition on the Curalie Platform.

The processing of the data is effected on the basis of statutory regulations that permit said data processing as this is necessary for the technical provision of the App to the User (Art. 6 Para. 1 lit. b GDPR), or because we have a legitimate interest in guaranteeing the security and functional capability of the App and its due and proper use and no overriding interest of the persons affected should oppose this (Art. 6 Para. 1 lit. f GDPR).

3.8 Data Processing for Customer Support

Should you, as a customer, contact us with any problems or questions, we process your contact data (in particular your name, e-mail address, mobile telephone number) in order to be able to deal with your concern. To this end we store and process your data in the Customer Support Tool used by us.

In this case the processing of your personal data is effected on the basis of Art. 6 Para. 1 lit. f) GDPR, as we have a legitimate interest in assisting our customers in use of our products and in being able to offer you such support, as well as – insofar as health-related data are processed to this end – on the basis of the consent granted by the User (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). This consent is necessary for use of the App.

3.9 Improvement of the App and the Programmes

Should you have granted your separate consent to this, we shall also be using your data in order to improve the functionalities of the App and to shape the design of the same in a more user-friendly or – from a medical point of view – more effective manner (Art. 6 Para. 1 lit. a, Art. 9 Para. 2 lit. a GDPR). This also serves the purpose of permanently guaranteeing the safe provision of the App. Furthermore, the data may also serve the purpose of evaluating and improving the Programmes – also with respect to their interplay with one another.

3.10 Usage Analysis

In order to analyse your usage data, we use only technologies operated by Curalie GmbH. Processing of the data is effected on the basis of statutory regulations that permit such processing as we have a legitimate interest in a better understanding of the use of our service without any overriding interest of the affected persons opposing this (Art. 6 Para. 1 lit. f GDPR).

4 Possible Recipients of Your Data

The forwarding of your personal data without your explicit prior consent shall, in addition to the other constellations already indicated in this Data Protection Declaration , only take place in the following cases:

4.1 Employees of Curalie GmbH

The recipients of your data are primarily the employees of Curalie GmbH. All employees have been subjected to obligations of confidentiality and secrecy with respect to your data.

4.2 Providers and Doctors / Nursing Staff working there

Your Provider and the doctors / nursing staff working there shall process your personal data for the purpose of accompanying your participation in Programmes, insofar as you should decide to avail yourself of the respective Programme, and consent to the processing in the context of registering (cf. Section 3.4.a above on this). Furthermore, you also have the option of granting your Provider and the doctors / nursing staff working there access to the data stored in the Curalie App, in particular your Curalie Identity, unconnected with your participation in a specific Programme. Should you separately and specifically consent to this processing, Curalie GmbH will forward the relevant data to the Provider and the doctors / nursing staff working there.

4.3 Prosecuting Authorities and injured Third Parties; other Authorities

Should this be necessary in order to clarify any illegal or abusive use of the service or for the pursuit of legal proceedings, personal data shall be forwarded to the prosecuting authorities and, if applicable, to any injured third parties. This shall only be done, however, should specific pointers to illegal or abusive conduct be given. Forwarding may also take place should this serve the enforcement of Terms and Conditions or any other agreements. Our legitimate interest in the data processing hereby lies in ensuring the orderly functioning of our website and service as well as, where applicable, in asserting, exercising or defending our legal claims (Art. 6 Para. 1 lit. f GDPR).

We may furthermore be obliged by law to impart information to certain public bodies upon being asked. These are prosecuting authorities, authorities that pursue administrative misdemeanours punishable by fines and the fiscal authorities (Art. 6 Para. 1 lit. c GDPR).

4.4 Service Providers

For the provision of the functionalities of the internet site described in this Data Protection Declaration we are, from time to time, dependent upon the services of contractually affiliated external companies and service providers resident outside the EU or the EEA, for example for our customer service or the hosting of the service. In such cases, information is forwarded to said companies or individual persons, in order to enable further processing by the latter. These external service providers are carefully selected and regularly monitored by us in order to be certain that your privacy is respected, and are permitted to use the data exclusively for the purposes stipulated by us. They will furthermore be subjected by us to a contractual obligation to handle your data exclusively in accordance with this Data Protection Declaration and the German data protection laws. Inasmuch as this should be a body outside the EU or the EEA, we ensure an appropriate level of data protection, for example by concluding relevant contracts with the respective recipients of the data.

4.5 Affiliated Companies / Transformations

In the context of the further development of our business it may happen that the structure of our company is transformed through a change in the legal form or the founding, purchasing or selling of subsidiaries, parts of the company or individual components. In the event of any such transactions we may, under certain circumstances, forward your data together with that part of our company that is to be transferred. We shall ensure that, whenever personal data are forwarded to the extent described in the above, this shall take place in accordance with this Data Protection Declaration and the relevant data protection laws.

5 Your Rights as an Affected Person

As a person affected by the processing of personal data you enjoy the following rights in particular:

– Right to Information: You have the right to receive information about the personal data affecting yourself.

– Right to Correction: You possess the right to have false or incomplete personal data affecting yourself to be corrected.

– Right to Deletion: You may also demand the deletion of your personal data, for example should said data no longer be required for the purposes for which they had been collected or otherwise processed.

– Right to Restriction upon Processing: You furthermore have the right to demand the restriction upon the processing of your personal data; in such an eventuality the data will be blocked for all processing. This right is given in particular should the correctness of the personal data be a matter of dispute between you and us.

– Revocation of Consents: You have the right to revoke your consent(s) at any time – for example via the contact paths indicated under Sections 1 and 2 above – with effect for the future. Should you wish to exercise this right, please note that the legality of any data processing that has already taken place shall not be affected by this. Furthermore, use of the App or participation in Programmes shall thereafter no longer be possible, or only to a limited extent.

A consequence of the revocation of consent to participation in certain Programmes is that the respective healthcare facility and possibly the respective third party provider of the Programme shall no longer be granted access to your Curalie Identity. In the event of revocation we shall ask you separately whether the respective health-related data affecting yourself from the Programme should also be removed from your Curalie Identity.

– Right to Data Portability: Insofar as we should process your personal data for the fulfilment of a contract concluded with you or on the basis of your consent, you also have the right to receive your personal data in a structured, standard and machine-readable format, if and insofar as you have supplied the data to us.

Right of Contradiction: You may additionally contradict data processing for reasons that derive from your own particular situation. This shall only apply, however, in such cases in which we undertake data processing for the fulfilment of a legitimate interest of either Curalie GmbH or of a third party. Should you be able to present any such reason and should we not be able to assert any mandatory, protection-worthy interest in further processing, we shall no longer process those data for the respective purpose.

Should you wish to assert any of your rights as an affected person with respect to the personal data processed under our responsibility or have any questions regarding data protection in our company, you are welcome to contact us via the paths indicated under Sections 1 and 2 above. After your inquiry has been conclusively answered, we shall delete your inquiry within a period of three years subsequent to the expiry of the respective calendar year.

In the event that you should wish to assert your rights as an affected person against third party providers or cooperation partners, you are welcome to approach them at any time for that purpose. The relevant possibilities for contacting your Provider are to be derived from the latter’s data protection information.

Finally, you have the right to lodge a complaint about the processing of your personal data with a supervisory authority responsible for data protection. The supervisory authority responsible for Curalie is: The Berlin Officer for Data Protection and Freedom of Information, Friedrichstraße 219, D-10969 Berlin, telephone:+49 (0)30 13889-0.

6 Duration of the Storage of Data

Unless otherwise stated in this Data Protection Declaration, we delete personal data as a matter of principle when the purpose for which they have been stored lapses. A continuing purpose may be given in particular should the data still be required in order to perform contractual services or to be able to review claims under warranty and, if applicable, guarantee and to grant or avert the same. Data processed on the basis of consent shall – subject to any statutory or contractual retention obligations – be deleted by us as a matter of principle as soon as you withdraw your consent. We review at regular intervals whether the storage purpose has lapsed or retention is still necessary.

In the case of statutory retention obligations, which may amount to between 10 and 30 years for health-related data, the deletion of thereof shall not be an option until after the retention obligation has expired. Should, on the basis of statutory retention periods, deletion not be permissible, we shall restrict processing to the mere archiving of the data sentences in question.

7 Updating

We reserve the right to adapt the contents of this Data Protection Declaration at any time. As a general rule, this shall occur when the services deployed are themselves further developed or adapted. You may view the currently valid Data Protection Declaration in the App.