Privacy Policy (of using the app)
PRIVACY POLICY ON THE USE OF THE PREVENTICUS HEARTBEATS APP AND OF THE ADDITIONAL PACKAGE PREVENTICUS COACH
Last updated: 2024-08-30
Legally authoritative is the German version, translations into other languages are non-binding convenience translations.
This privacy policy is intended to inform you on what basis and for what purposes we process the personal data we collect from you or you provide us with when you use the PREVENTICUS Heartbeats app. We would also like to tell you more about your data protection rights. If you would like to use our additional package Preventicus Coach, please refer to section V.
Additional data protection regulations may apply for certain categories of data processing, e.g. if you are using the PREVENTICUS Heartbeats app to take part in a study or a telemedical care programme of your health insurance.
The PREVENTICUS Heartbeats app is a medical product classified for the European Economic Area, which complies with the basic requirements of the Medical Device Regulation MDR (2017/745) and its national implementations.
For more information, please refer to the Terms and Conditions of Use.
PREVENTICUS will process your personal data confidentially and strictly for specific purposes. Your health data will exclusively be processed on servers in Germany.
I. Who is responsible for data processing and who should I contact?
Responsible in terms of the General Data Protection Regulation (GDPR) is:
PREVENTICUS GmbH
Ernst-Abbe-Strasse 15
07743 Jena
You can contact our Data Protection Officer by means of the above contact details or by e-mail at datenschutz@preventicus.com
II. What are personal data?
Personal data is information that can identify someone or that can be used to contact someone, such as an e-mail address.
We do not need your name or any other contact details from you for you to use the PREVENTICUS Heartbeats app, but we save your data without a name reference (pseudonymised) on our systems from the start.
The PREVENTICUS Heartbeats app is therefore not used to process any personal data that can be directly attributed to you. PREVENTICUS cannot identify or individually contact any unregistered users based on the data generally saved in PREVENTICUS Heartbeats.
III. What kind of data do we collect?
III.a Health data
You can use the PREVENTICUS Heartbeats app to take measurements of your own pulse using your smartphone and document them with the app. The PREVENTICUS Heartbeats app then uses the information provided to help automatically detect and classify arrhythmias (extrasystoles, atrial fibrillation), provided sufficiently accurate and valid measurements are available (“health data”). Your heart rhythm and pulse waves will be stored on our servers.
III.b Health profile data in the additional package Preventicus Coach
The health profile in the Preventicus Coach add-on package is created using the basic data and heart rate and heart rhythm data determined in the Preventicus Heartbeats app. In addition, information from medically validated questionnaires and self-administered tests is incorporated, including (input of blood pressure values, height, weight, waist circumference, results of exercise tests, for example).
III.c Sensor data
In addition to the classification of the measurements, not only your smartphone’s camera but also other sensor data are used for and added to the measurements. This is done to ensure that any movements that could impair the measurement result are taken into account.
As a result of your registration, your licence can be transferred regardless of the operating system you are using and your measurement data can be reproduced if you change or lose your smartphone. It also enables you to take part in a care programme or medical study.
III.d Other data you communicate to us
We generally require neither your name nor any other personal contact data from you, but save your data initially without a name reference (anonymously) on our systems. Processing takes place solely on servers in Germany.
You do, however, have the possibility to add your name and, in a free-text field, store the reason for the measurement or symptoms (heart palpitations, dizziness, irregular heartbeat, chest pains, etc.) for personal purposes in stored PDF reports, for instance to be used for assistance when forwarding the information to your physician. In your user profile you can also state your sex and year of birth (basic data), thus enabling us to better assess your measurement results.
III.e Registration
If you would like to register with us, please communicate your e-mail address and a password set by you. Optionally, you can assign a user name, state your name and enter a promotional code in the field ‚ID health partner‘.
Your data will then be saved in a pseudonymised manner. This means that your personal data is stored in hashed form in a separate database from your health data and can be assigned if necessary. Processing takes place solely on servers in Germany.
Registration enables the transfer of your licence irrespective of the operating system and the recovery of your measurement data, should you change or lose your smartphone.
III.f Interoperability option
PREVENTICUS Heartbeats may be opened and used for heart rhythm measurements by dedicated medical applications. In this case, PREVENTICUS Heartbeats performs its measurements with subsequent pseudonymized data analysis on servers hosted in Germany. The pseudonymized results are securely transferred back to the dedicated medical applications. In this scenario, PREVENTICUS Heartbeats does not receive any personal data from the dedicated medical applications except being necessary for data analysis (age and gender). Only the dedicated medical applications connected to PREVENTICUS Heartbeats may be able to merge pseudonymized measurement results from PREVENTICUS Heartbeats with potentially personal user data derived in the dedicated medical applications. PREVENTICUS Heartbeats is an independent medical application. When using the interoperability option, please refer to the privacy notices of the third-party compatible medical app you are using.
PREVENTICUS has no influence on any further processing of your measurement results in these third-party medical applications.
List of dedicated medical applications being interoperable with PREVENTICUS Heartbeats:
- Corsano-AF App: App for carrying out various studies
III.g. General data we collect regarding the use of our app
III.g.1 Firebase
Heartbeats uses Google Analytics for Firebase and Firebase Crashlytics services based on your consent. We use these services to collect statistically aggregated data on app usage, especially in relation to system crashes and errors (Firebase Crashlytics) for error detection and correction, as well as certain user-triggered events (Google Analytics for Firebase) for the optimisation of our app. Please note that personal data is also processed in the so-called third country USA, i.e. outside the EEA. In its decision of 10 July 2023, the EU Commission recognised the level of data protection for certain companies from the USA as adequate (as part of the EU-US Trans-Atlantic Data Privacy Framework) in accordance with Art. 45 GDPR, including Google LLC. We have also provided suitable guarantees with Google LLC by means of standard contractual clauses issued by the EU Commission, which provide you with enforceable rights and effective legal remedies. We use the Standard Contractual Clauses with Module Two, which you can find here.
For Crashlytics, information is collected about the device (including the UUID and anonymised IP address), the app version installed, and other information, mainly related to the user’s software and hardware. For Analytics, when the user performs a certain action, an identifier corresponding to the event, the instance ID of your terminal device, is sent to Google. The usage and device data is aggregated and analysed exclusively in pseudonymised form by Google Ireland Ltd. as our order processor. Your data will not be passed on to third parties.
You can deactivate the analysis service Firebase Crashlytics and Firebase Analytics of Google LLC at any time and thus revoke your consent to the collection of this data with effect for the future. For the Android version of the app, open the settings (cogwheel at the top right) and click on ‘Deactivate’. For the iOS version of the app, please go to the iPhone’s general settings, select Heartbeats and switch off ‘Allow tracking’.
Insofar as you participate in a care programme used via Heartbeats that your health insurance company jointly organises with us, among others, the data collection Firebase Crashlytics and Google Analytics for Firebase will be deactivated by us at the start of the contract of the respective care programme and reactivated after termination, if you have given your consent.
Furthermore, the Firebase Cloud Messaging service by Google Inc. will be used for the Android app, as well as the Apple Push Notifications service for the iOS app to send push notifications or so called in app messages (messages that are exclusively being shown inside the app) to your device. During this process Firebase and Apple are generating a calculated key, that consists of the app identifier and your device identifier. This key will be stored on our Push platform with configured settings to provide you with the information of your choosing. The Firebase or Apple server cannot draw any conclusions regarding the users app behavior or collect any other data that is associated with your person. Firebase and Apple are only utilized as a message transmitter.
Push notifications can be disabled in your devices operating system settings at any time. We are not processing any personal data in relation to push notifications.
III.g.2 Scientific research purposes
For scientific research purposes, we process the IP address for the anonymous classification of your residential district, as well as further statistical data, such as age and gender.
IV. Data processing for payment processing when using the full version and chargeable additional packages
If you would like to use the full version, your app store operator will exclusively process your payment details for handling your purchase. Your contact and payment data is not communicated to us. Please observe the data protection provisions and user regulations of your respective app store operator, Apple App Store and Google Play Store.
V. Data processing when using the Preventicus Coach add-on package
Preventicus Heartbeats automatically transmits the basic data (age, gender) and results of the last measurement (heart rhythm, heart rate, calculated relaxation index) to Preventicus Coach.
All other health data must be entered manually by you in Preventicus Coach and are included in the health profile. Based on the health profile, analyses are automatically created on the server and displayed in Preventicus Coach, including on
– Heart health, taking into account measurements of heart rhythm and resting heart rate (using pulse analysis) and the risk of heart attack
– Circulation, including the risk of stroke and high blood pressure, taking into account user information on blood pressure
– Metabolism and diabetes risk, taking into account user information on BMI, waist-to-body size ratio, alcohol consumption
– Well-being and risk of depression, including display of the relaxation index (based on pulse analysis) and taking into account user information on mental well-being
– Mobility and back with assessment of coordination, strength, flexibility or strength endurance, taking into account user information on the assessment of functional and movement restrictions.
Preventicus Heartbeats also displays information from the Preventicus Coach add-on package in the notification centre in the app about
– whether there are new suggestions due to changed health data in the Coach
– whether health data is missing or outdated in the Coach and needs to be filled in again.
VI. Where do we store your personal data?
If you have consented to the use of Google Analytics for Firebase and Firebase Crashlytics in the app, the processing of personal data in the so-called third country USA, i.e. outside the EEA, cannot be ruled out. As part of the EU-US Trans-Atlantic Data Privacy Framework, the EU Commission recognised the level of data protection for certified companies from the USA as adequate in its decision on 10 July 2023 in accordance with Art. 45 GDPR, including Google LLC.
If you send us a support request, we will process it in our ticket system of the provider Freshworks GmbH. Disclosure to other Freshworks companies, including Freshworks Inc., cannot be ruled out under certain circumstances. Freshworks Inc. has also been certified for the EU-US Trans-Atlantic Data Privacy Framework, so that the EU Commission’s adequacy decision also applies to these processing operations.
All other data is processed exclusively in data centres in Germany.
VII. To what end do we process your data (purpose of processing) and on which legal basis?
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
VII.a to meet contractual obligations (Art. 6 (1) (b) GDPR)
PREVENTICUS processes contractual information in relation to accounts in order to allocate and provide you and other providers with the contractually agreed services as well as ensure all information reaches the correct recipients.
We store and anonymise your measurements and the evaluations and health values we have created in this respect for scientific and statistical purposes and for the continuous improvement of the app and measurement systems, without prejudice to the cancellation or termination of your account. PREVENTICUS will also delete the link to the account forever. The data will be anonymised in such a way that the pertinent individuals cannot or can no longer be identified.
VII.b to process personal health data based on your consent (Art. 6 (1) (a) GDPR, Art. 9 (2) (a) GDPR)
Based on your consent, we process your health data to detect arrhythmias (extrasystoles, atrial fibrillation) and to classify the results in an analysis report for your information.
VII.c to exercise or defend legal claims (Art. 9 (2) (f) GDPR)
Where necessary, we will process your data for the establishment, exercise or defence of legal claims.
VII.d. within the framework of the balancing of interests (Art. 6 para. 1 lit. f DSGVO in conjunction with § 27 BDSG).
Within the scope of our legitimate interests, we will store and anonymise your measurement series and related evaluations or health data for scientific purposes. For this purpose, PREVENTICUS will finally delete the allocation to the account. In addition, we process the IP address for the anonymous classification of your district of residence as well as other statistical data such as age and gender, if available. The data is thus anonymised in such a way that the persons concerned cannot be identified or can no longer be identified.
VIII. Who is my personally identifiable data transferred to?
In general, only those persons within PREVENTICUS have access to this data who require it for the fulfilment of our contractual or, if applicable, legal obligations. Service providers and vicarious agents deployed by us may also receive data for these purposes. The specifically applies to our ISO27001-certified hosts.
Beyond this we do not communicate your personal or personally identifiable data to third parties.
You are free to communicate the analyses generated via the app (menu option Report) to third parties.
Accordingly, we do not communicate your personal or personally identifiable data to third parties without your explicit previous consent.
You are free to communicate the analyses generated via the app to third parties. You can, therefore, make use of a technical partner of PREVENTICUS, such as a Telecare Center, for instance. For this, please observe section 6 of the Terms of use regarding the „Telecare Center“ service package.
IX. Is the provision of the personal data legally or contractually stipulated?
You are under no obligation to provide us with the above-mentioned personal data via the website.
X. How long is my data stored for?
We generally process and save your personal data as long as is necessary for the fulfilment of the purpose or as far as is legally required.
XI. Your rights as an affected person
Each person affected by our personal data processing has the right of access in accordance with Article 15 GDPR, the right of rectification in accordance with Article 16 GDPR, the right to deletion in accordance with Article 17 GDPR, the right to the limitation of processing in accordance with Article 18 GDPR, the right of opposition from Article 21 GDPR as well as the right of data portability from Article 20 GDPR. In the case of access and deletion rights, the limitations according to §§ 34 and 35 of the German Federal Data Protection Act (BDSG) shall apply. Furthermore, a right to appeal to a data protection authority exists in accordance with Article 77 GDPR in conjunction with § 19 of the German Federal Data Protection Act (BDSG).
Except in the case of registered users, PREVENTICUS is unable to identify users. Due to the lack of sufficiently identifiable characteristics, PREVENTICUS is unable to allocate the health data to a non-registered user. In these cases, Articles 15 to 20 do not apply.
X.II. Information regarding your right of opposition in accordance with Article 21 GDPR
X.II.I. Individual right of opposition
You have the right, for reasons resulting from your particular situation, to file an opposition at any time against the processing of your personal data, which has taken place based on Article 6 par. 1 f GDPR (data processing based on a balancing of interests); this also applies, where relevant, to a profiling based on this provision within the meaning of Article 4 par. 4 GDPR. See in particular section 3.4.
If you file an opposition, we will no longer process your personal data, unless we can present proof that compelling protection reasons for processing exist that outweigh your interests, rights and freedoms, or that processing serves the assertion, execution or defence of legal claims.
If you oppose the processing for purposes of direct advertising, we will no longer use your personal data for these purposes.
X.II.II. Revocation of consents granted
You can revoke your consent at any time with effect for the future.
X.II.III. Implementation of the opposition or revocation of consent granted
Opposition can take place informally and can be performed, for instance:
- by clicking on Unsubscribe in the bottom section of an e-mail message (newsletter);
- by using our contact form under contact for your opposition;
- by means of written notification to the address stated in section 1
- by telephone via the number +49 (0) 3641 / 55 98 45 - 0
- or by sending an e-mail to info@preventicus.com
- In order to unsubscribe from receiving e-mails or other advertising materials, you can also follow the instructions given in the respective notification.
Please contact the Data Protection Officer directly with regard to your data protection rights.
XIII. Right of modification
PREVENTICUS is entitled to modify the data protection declaration at any time and, in particular, to adjust it to amendments in the legal situation brought about by law or legislation. The respectively most recent version can be accessed and viewed at this point. Amendments to the data protection provisions shall come into effect at this point upon the day of their publication.
Third Party Libraries PREVENTICUS Heartbeats
https://www.preventicus.com/third-party-libraries-heartbeats-apps/