Version: 1.0.2
Date: 31.10.2024
Carealytix Digital Health GmbH (referred in the following as “Carealytix” or “we”) is committed for protecting your privacy when using the website under the URL www.carealytix.com and the associated sub-domains (e.g. www.mizu-app.com, www.kidney-plus.com) and ensures that personal data will only be processed in accordance with the applicable data protection regulations, in particular the EU General Data Protection Regulation. We are committed to protecting your personal data (hereinafter referred to as “data”) and therefore comply with the applicable data protection laws.
With these data protection provisions, we comply with our information obligations under Art. 12 et seq. of the General Data Protection Regulation (hereinafter referred to as “GDPR”). We would like to give you an overview of what data we store about you and when, and how we use this data. We only collect your data to the extent that is technically necessary. Under no circumstances do we sell your data or pass it on to third parties for unjustified reasons.
Key Definitions
“Controller” is the party that is determining the purposes and means of the processing of personal data in accordance with the meaning of Art. 4 No. 7 GDPR. In particular, the controller determines what is processed, how and for what purpose. The controller is responsible for the processing and must ensure that the data protection regulations are complied with.
“Processor” is the party who operates on behalf of the controller and processes personal data on the controller’s behalf in accordance with Art. 4 No. 8 GDPR.
“Personal data” means any information that can be attributed directly or indirectly to an identifiable natural person (“data subject”) in accordance with Art. 4 No. 1 GDPR.
“Processing” means all possible types of data processing in accordance with Art. 4 No. 2 GDPR. This includes the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, linking, restriction, erasure, or destruction of personal data.
“Data subject” is the natural person to whom the data processed by the controller can be directly or indirectly assigned in accordance with Art. 4 No. 1 GDPR.
“Recipient” is the party to whom personal data is disclosed, regardless of whether it is a third party or not, in accordance with Art. 4 No. 9 GDPR.
“Third party” means any party other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorized to process the personal data, in accordance with Art. 4 No. 10 GDPR.
“Special categories of personal data” pursuant to Art. 9 para. 1 GDPR include the data subject’s health data. This data requires a higher level of protection.
“Health data” means personal data relating to the physical or mental health of the data subject and which reveal information about the data subject’s state of health, in accordance with Art. 4 No. 15 GDPR.
“Consent” means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action (e.g., by checking a box provided for that purpose), signifies agreement to the processing of personal data relating to him or her.
Details of the Responsible Party
Carealytix Digital Health GmbH, Hohendilching 5, 83626 Valley, represented by the management (in the following referred to as „controller“) is responsible for data processing within the scope of the website within the meaning of Art. 4 No. 7 GDPR as provider and operator. If you have any questions in connection with the processing of personal data, please contact the controller by email at info@carealytix.com.
Information on the Data Protection Officer
Furthermore, you have the right to contact the controller's external data protection officer with questions relating to the processing of your personal data and the exercise of your rights as a data subject in accordance with the GDPR. You can reach them using the following contact details:
QuR.digital GmbH
Große Elbstraße 135
22767 Hamburg
Contact: Katharina Böck
Tel.: +49(40)32524552
E-Mail: info@qur.digital
Notes on Data Security
Carealytix uses common, known methods to transfer and store your data securely. To ensure the best possible protection for the data you transmit to us, we use a so-called transport layer security encryption protocol, or TLS encryption for short, on our website. This encryption ensures that the data you transmit to us cannot be read, redirected, or modified by unauthorized third parties during transmission.
To protect your data managed by us against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons, we use legally prescribed technical and organizational security measures.
Storage Location and Integration of Service Providers
Your data will be stored and processed exclusively in security-certified data centers within the European Union, if data is stored at all. We reserve the right to use various service providers to store and process your data, but they will only act on our behalf and in accordance with our instructions. We will oblige the service providers we use to take technical and organizational measures that are suitable in accordance with the current state of the art to ensure that your data is processed in compliance with data protection regulations. Under no circumstances will your data be passed on or sold to third parties by our service providers.
Your Data Subject Rights
As a “data subject” within the meaning of Art. 4 No. 1 GDPR, you are entitled to certain inalienable rights (data subject rights). The controller is obliged to guarantee these data subject rights and must contractually oblige any processors it uses to provide the best possible support in implementing these data subject rights. In this respect, you are entitled to the following data subject rights:
- Right to information (Article 15 GDPR): You have the right to obtain information from us as to whether we process personal data about you and, if so, what data this is and for what purpose.
- Right to rectification (Article 16 GDPR): You have the right to have incorrect or incomplete personal data that we have stored about you corrected.
- Right to erasure (Article 17 GDPR): Under certain circumstances, you have the right to request that we erase your personal data. This right exists, for example, if the data is no longer required for the purposes for which it was collected or if you have withdrawn your consent.
- Right to restriction of processing (Article 18 GDPR): Under certain circumstances, you have the right to restrict the further processing of your personal data. This right exists, for example, if you dispute the accuracy of the data or the processing is unlawful.
- Right to data portability (Article 20 GDPR): You have the right to receive a copy of your personal data from us in a structured, commonly used, and machine-readable format. You can also have this data transmitted to another controller if this is technically feasible.
- Right to object (Article 21 GDPR): You have the right to object to the processing of your personal data on grounds relating to your situation. We will then no longer process your data unless there are compelling legitimate grounds for the processing.
- Right to withdraw consent (Article 7 (3) GDPR): If we process your personal data based on your consent, you can withdraw this consent at any time. This does not affect the lawfulness of the processing up to the point of withdrawal.
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection regulations.
You can assert your rights as a data subject at any time by notifying the controller in writing or electronically using the contact details provided above. Alternatively, you can also contact the data protection officer of the controller. The contact details are also stated above in this privacy policy. In this context, both the controller and the data protection officer reserve the right to verify your identity using a suitable procedure.
Disclosure of Data to Third Parties
The controller will only pass on your data to third parties within the meaning of Art. 4 No. 10 GDPR if
- you have given your express consent to the disclosure pursuant to Art. 6 (1) a) GDPR;
- the disclosure pursuant to Art. 6 (1) b) GDPR is necessary for the initiation or performance of a contract between you and the controller
- the controller is legally obliged to disclose the data pursuant to Art. 6 (1) c) GDPR; or
- the disclosure pursuant to Art. 6 (1) f) GDPR is necessary based on the “legitimate interest” of the controller for the assertion, exercise and defense of legal claims and there is no reason to assume that you have an overriding interest in the non-disclosure of the data that requires protection.
Data Transfer to Third- party Countries
The controller may use service providers as processors that have their registered office in a third-party country or are part of an international organization that has its registered office in a third-party country. In the context of the GDPR, a third-party country is a country that is not a member of the European Union (EU) or the European Economic Area (EEA) and therefore does not fall under the regulatory influence of the GDPR. What these third-party countries have in common is that they sometimes have their own data protection law, the content of which may, however, be below the level of protection of the GDPR. Against this background, Art. 44 GDPR stipulates that the transfer of data to third countries is only permitted under certain legal conditions.
In accordance with Art. 45 GDPR, the permissibility of data transfer to third countries is generally based on an adequacy decision between the EU Commission and the third-party country in question. The existence of an adequacy decision indicates that the data protection law applicable in the third-party country in question provides a level of protection for your personal data that is comparable to the GDPR. If no such adequacy decision exists, data transfer pursuant to Art. 46 (2) c) GDPR is alternatively based on the conclusion of a contract between the controller and the relevant service provider based on the standard contractual clauses issued by the standard contractual clauses issued by the EU Commission. These contractual clauses provide a sufficient guarantee on the part of the respective service provider also regarding the enforceability of the rights of data subjects provided for by the GDPR.
You will be expressly informed by us in the context of this privacy policy if a service provider has such a third country reference. In this case, by giving your consent, you agree that your personal data may be transferred to such a company.
Accessing the Website
If you access the controller’s website under the URL www.carealytix.com or the associated sub-domains (e.g., www.mizu-app.com, www.kidney-plus.com) via the end device you are using, so-called “log files” are created and transmitted to the hosting provider of our website.
Processed Data:
Your IP address, the date and time of your request, the time zone, the content of the request, the access status, the amount of data transferred, the content from which the request was made (referrer URL) and the operating system of the end device used (e.g., macOS, Windows, iOS, or Android) are processed in the context of the log files
Purpose of Processing:
The data is required in the form of log files so that the website of the controller and operator can be displayed on the device you are using. Accordingly, log files serve to ensure the technical functionality of the website. The data processed in the log files is neither merged with other data sources nor used to identify individual users. In particular, the data is not used to carry out evaluations for marketing purposes.
Legal Basis:
The lawfulness of this data processing is based on Article 6 (1) f) GDPR. The interest required for this follows from the controller's desire to be able to use the platform technically. This does not conflict with any individual rights.
Receiver:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the website. Webflow Inc. (398 11th Street, Floor 2, San Francisco, CA 94103, USA) operates for us in this context as a processor within the meaning of Art. 4 No. 8 GDPR and has accordingly been obliged to set up and maintain appropriate technical and organizational measures (TOMs) to protect your personal data based on an order processing contract (AV contract).
Please note in this context that Webflow Inc. has its registered office in the USA. Data transfer to the USA is generally not intended but cannot be conclusively ruled out. In this respect, the information on data transfer to third-party countries applies.
Storage Duration:
The storage period for log files is usually 14 days. They are then automatically deleted.
Use of Cookies
If cookies are used on the website, a technical requirement and a non-technical requirement must be distinguished. Cookies are generally considered to be small text files that are automatically stored by the browser you are using on the device you are using. Technically necessary cookies are used, for example, to enable the website to be displayed on the device you are using. Technically unnecessary cookies, on the other hand, are used to enable the analysis of user behavior on the website. In the following, we will first discuss data processing in the context of the use of technically necessary cookies. If technically unnecessary cookies are also used on the website, information on this can be found in separate sections of this privacy policy.
Processed data:
As part of the use of technically necessary cookies, some form data (e.g. log-in information), language settings and history data are processed.
Purpose of Processing:
The data mentioned above is required so that it can be recognized that you have already visited individual areas of the website and partly ensures that you do not have to make certain entries and settings again when you visit the website.
Legal Basis:
The lawfulness of this data processing is based on Article 6 (1) a). You give your consent in the context of a cookie banner, which is displayed when you first visit the website. This gives you the opportunity to consent to the use of cookies. You can also adjust your settings regarding the use of cookies later.
However, you can also prevent the use of cookies by deactivating or gradually restricting the setting of cookies in the settings of the browser you are using. You must, therefore, manually delete any cookies already stored on the device you are using. Please note that completely or partially deactivating cookies in your browser settings may mean that you will not be able to use the website or certain functions on the website, or only to a limited extent.
Receiver:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the website. Webflow Inc. (398 11th Street, Floor 2, San Francisco, CA 94103, USA) acts for us in this context as a processor within the meaning of Art. 4 No. 8 GDPR and has accordingly been obliged to set up and maintain appropriate technical and organizational measures (TOMs) to protect your personal data based on an order processing contract (AV contract).
Note that Webflow Inc. has its registered office in the USA. Data transfer to the USA is generally not planned but cannot be conclusively ruled out. In this respect, the information on data transfer to third-party countries applies.
Storage Duration:
The storage period depends on the cookie used. These are either deleted immediately when you end your visit to our website or after a specified period that cannot be determined by us.
Contacting the Responsible Person
Du hast stets die Möglichkeit, im Rahmen der Website mit dem Verantwortlichen (z.B. per E-Mail) in Kontakt zu treten und Anfragen zu stellen. In diesem Zusammenhang werden personenbezogene Daten verarbeitet.
Processed Data:
Your personal data (e.g., name, address), your contact details (e.g., telephone number, e-mail address) and the specific content of the request are processed. Please note that the controller has no influence if you transmit sensitive data (e.g., health data) to the controller as part of your request. You will not be asked by the controller to send such data.
Purpose of Processing:
The processing of the data mentioned above is carried out for the purpose of being able to answer your request quickly and to your satisfaction.
Legal Basis:
The controller bases the lawfulness of this data processing on Article 6 (1) a) GDPR. You give your consent by actively sending the controller a corresponding request (e.g. by email).
Receiver:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the Zendesk service (Zendesk Inc. 989 Market Street #300, San Francisco, CA 94102, USA). In this context, the provider of Zendesk acts as a processor for the controller and has been obliged by the controller to establish and maintain appropriate technical and organizational measures (TOMs) to protect your data based on a data processing agreement.
Note in this context that Zendesk Inc. has its registered office in the USA. Data transfer to the USA is generally not intended but cannot be conclusively ruled out. In this respect, the information on data transfer to third-party countries applies.
Storage Duration:
The data processed in the context of receiving and responding to your request will remain stored until the purpose of the data processing no longer applies.
Receiving Newsletters, Promotional Information
As part of the services provided by the controller, you have the option of registering to receive the newsletter. It is necessary to process your personal data to create, send and evaluate our newsletter.
Processed Data:
Your first name, surname, email address and anonymized usage data (e.g., opening and click rate) are processed.
Purpose of Processing:
The processing of the data mentioned above is necessary so that the controller can send you personalized newsletters and information and measure an anonymized evaluation of the success of the newsletter in terms of the click and open rate.
Legal Basis:
The lawfulness of this data processing is based on Article 6 (1) a) GDPR. You can give your consent to receive our newsletter and information via the study platform. To register to receive the controller’s newsletter, it is necessary for you to consent to the processing of your personal data by ticking a checkbox provided for this purpose.
Receiver:
Depending on your role as a patient or healthcare professional or service provider, the recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the Brevo service (formerly Sendinblue) of Sendinblue GmbH (Köpenicker Straße 126, 10179 Berlin) or the Pipedrive service of Pipedrive OÜ. (Mustamäe tee 3a, 10615 Tallinn). In this context, the providers of the services act as processors for the controller and have been obliged by the controller to set up and maintain appropriate technical and organizational measures (TOMs) to protect your data based on data processing agreements.
Please note in this context that Pipedrive OÜ is part of Pipedrive Inc., which has its registered office in the USA. Data transfer to the USA is generally not intended but cannot be conclusively excluded. In this respect, the statements on data transfer to third-party countries apply.
Storage Duration:
The data processed by the controller in this context will be stored until you withdraw your consent to receive the newsletter from the controller. You can revoke your consent at any time in the footer of the newsletter or by sending an email to the contact details specified in sections 2 and 3 of this privacy policy.
Use of the Career Portal
As part of the services offered on the website, you can apply for advertised positions or send us an unsolicited application via the career portal. Personal data is processed in this context.
Processed Data:
Your personal data (surname, first name), contact details, CV data (e.g., vocational training, university degree), data on professional experience and other knowledge and skills are processed.
Purpose of Processing:
The processing of the data mentioned above is necessary to be able to process your application sensibly and effectively. This also includes comparing your data with the requirements profile of open positions to identify you as a potentially suitable candidate for the position.
Legal Basis:
The lawfulness of this data processing is based on Article 6 (1) a) GDPR. You give your consent by actively sending us your application documents.
Receiver:
Recipients of your personal data within the meaning of Art. 4 No. 9 GDPR are, in addition to the controller, the Asana service of Asana Inc (633 Folsom Street, San Francisco, CA, United States). In this context, the provider of this service acts as a processor for the controller and has been obliged by the controller to establish and maintain appropriate technical and organizational measures (TOMs) to protect your data based on data processing agreements.
Note in this context that Asana Inc. has its registered office in the USA. Data transfer to the USA is generally not intended but cannot be conclusively ruled out. In this respect, the information on data transfer to third-party countries applies.
Storage Duration:
The data processed by the controller in this context will be deleted no later than 6 months after the position for which you have applied has been filled unless you consent to the storage of your data for the purpose of later consideration for further application rounds. In this case, your personal data in connection with your application will remain stored for a maximum of 2 years and will then be deleted.
User Analysis Using Matomo
For the analysis of user behavior, we use the Matomo Analytics service (formerly Piwik) on our website. This is an open-source service that enables the collection and analysis of anonymized usage data without the use of cookies. As part of the usage analysis, usage data is collected, anonymized, and evaluated.
Processed Data:
Your anonymized IP address, browser type/version, operating system of the end device, website from which the request comes (so-called referrer URL), content of the request (specific page of the platform), date and time of the request, time zone, access status/http status code, amount of data transferred and usage data (e.g., time spent on pages, click rate, scrolling behaviour) are processed.
Purpose of Processing:
Processing the data mentioned above enables the controller to evaluate the use of the website and thus determine where the website still needs to be improved. This follows not least from the controller’s desire to adapt the website and the services offered to the needs of users in the best possible way.
Legal Basis:
The lawfulness of this data processing is based on Art. 6 (1) a) GDPR. You give your consent by agreeing to the use of Matomo Analytics in the cookie banner when you first access the website (or at a later point in time).
Receiver:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of Matamo Cloud, InnoCraft Ltd (150 Willis St, 6011 Wellington, New Zealand). In this context, the provider acts as a processor for the controller and has been obliged by the controller to establish and maintain appropriate technical and organizational measures (TOMs) to protect your data based on a data processing agreement.
Note in this context that InnoCraft Ltd. has its registered office in New Zealand. A data transfer to New Zealand is generally not intended but cannot be conclusively excluded. In this respect, the statements on data transfer to third-party countries apply.
Storage Duration:
Although your personal data is processed exclusively in anonymized form after collection and it is therefore no longer possible to assign this data to you personally later, the controller has decided to limit the storage period of this data to 14 months. After 14 months, the usage data stored by Matomo Analytics is automatically deleted.
Integration of Social Media Services
We may use links to social media platforms (e.g., Facebook) on our website. By clicking on the corresponding link on the website, you will be redirected to a specific profile on the linked social media platform. Direct contact and the associated data exchange between you and the respective social media platform is only established when you actively click on the respective link. In this respect, we do not process your personal data in accordance with the GDPR. Further information in connection with the linked social media platforms can be found in the respective privacy policies.
Integration of Third-Party Content
The website may contain links to external websites. Please note that we are not always responsible for their data protection or the content of these other offers. The integration of this content requires that the providers of this content (“third-party providers“) are aware of your IP address, as otherwise the content cannot be displayed in the browser you are using. However, the controller has no influence on whether third-party providers process your IP address for other purposes, such as statistical analysis. If the controller becomes aware of such a procedure, you will be informed as part of this privacy policy.
We recommend that you inform yourself about the respective privacy statements of this external content when you leave the website.
No Automated Decision-making
In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and implement a business relationship or other relationship. If we use these procedures in individual cases, we will provide separate information about this if this is required by law.
Changes to This Privacy Policy
The controller reserves the right to update this privacy policy with effect for the future to be able to react appropriately to changes in the law, changes in jurisdiction or changes in economic circumstances. Your rights as a data subject within the meaning of the GDPR will never be restricted by an amendment to this privacy policy.