Privacy policy
The protection of your personal data is not only important to you, but also to us, the persons jointly responsible for the web app "dermanostic" (hereinafter "we", "us"). We appreciate your trust that we will handle your personal data conscientiously and in accordance with the law.
With this data protection notice, we would like not only to comply with our legal obligations under Articles 13 and 14 DS-GVO, but also to describe to you in a comprehensible way what personal data is processed when you use this webapp and how we handle it. Dermanostic GmbH processes and uses personal data collected when accessing and using the webapp in compliance with the data protection regulations applicable in the Federal Republic of Germany.
Controller
The controller pursuant to Art. 24 GDPR for the processing of personal data in connection with the operation of the app and the mediation of treatment requests is:
Dermanostic GmbH
Merscheider Straße 1
42699 Solingen
GermanyThe following cooperating dermatology practices are responsible for the medical treatment pursuant to Art. 24 GDPR:
Privatpraxis Dr. med. Ole Martin, Merscheider Straße 1, 42699 Solingen
CentroDerm, Heinz-Fangman-Straße 57, 42287 Wuppertal-Barmen
Dermatologie am Groner Tor, Groner-Tor-Straße 25, 37073 GöttingenContact details of the data protection officer
You can contact the data protection officer of Dermanostic GmbH by email.
If your request concerns medical treatment, please contact the respective practice directly.
1 Provision of the Webapp
1.1 Provision of the Webapp
1.1.1 Purposes
This processing serves to establish the connection between our server and your device for the use of our webapp.
1.1.2 Data types
We process connection data (access data and device data) as categories of data relating to you.
1.1.3 Legal basis
The legal basis is your agreement to the webapp user contract pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
1.1.4 Necessity
The processing of the above-mentioned data relating to you is necessary for your use of our webapp. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
1.1.5 Storage period
The storage period lasts until the end of the session.
1.1.6 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany.
1.1.7 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in your account settings by deleting the user account.
1.2 Webapp security
1.2.1 Purposes
This processing serves to ensure the uninterrupted operation of the webapp.
1.2.2 Data types
We process connection data (access data and device data) and your system information as categories of data relating to you.
1.2.3 Legal basis
The legal basis is our legal obligation to ensure the secure processing of personal data pursuant to Art. 6 para. 1 subpara. 1 lit. c in conjunction with Art. 24 and 32 GDPR.
1.2.4 Storage period
The storage period is 30 days for the logging of access to the interface between the app and the server and two months for the transmission of system crashes.
The storage period for this processing of the above-mentioned data relating to you is two months for Google Firebase Crashlytics and 14 months for Google Analytics.
1.2.5 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany.
The above-mentioned data relating to you will be transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
The above-mentioned data relating to you will be transferred to the United States as a third country with an adequacy decision pursuant to Art. 45 GDPR.
1.3 Consent management
1.3.1 Purposes
This processing serves the management and documentation of your consents.
1.3.2 Data types
We process consent data as categories of data relating to you.
1.3.3 Legal basis
The legal basis for the processing of the above-mentioned data relating to you is our obligation to provide proof pursuant to Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Art. 5 para. 2 and Art. 7 para. 1 GDPR.
The storage of a technically necessary cookie on your device for the management and documentation of your consent is based on Art. 5 para. 2 GDPR in conjunction with Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with § 25 para. 2 no. 2 TTDSG.
1.3.4 Necessity
The processing of the above-mentioned data relating to you is necessary for the fulfillment of our legal obligations.
1.3.5 Storage period
The storage period for this processing of the above-mentioned data relating to you is until the withdrawal of your consent. In order to fulfill our obligation to provide proof, we keep a deletion log for three years.
1.3.6 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany.
1.4 User account management
1.4.1 Purposes
This processing serves the security of user account management.
1.4.2 Data types
We process user account data, session data and login data as categories of data relating to you.
1.4.3 Legal basis
The legal basis is Art. 6 para. 1 subpara. 1 lit. f GDPR. Our legitimate interest is the security of user account management.
1.4.4 Storage period
The storage period for the processing of user account data is ten years after the end of the treatment or until the withdrawal of your consent.
The storage period for login data is until logout from the webapp or until the deletion of your user account.
The storage period for session data is until the withdrawal of your consent. We keep a deletion log for three years.
1.4.5 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany.
1.4.6 Your right to object
Pursuant to Art. 21 GDPR, you have the right to object to the processing of the data relating to you described above if there are reasons arising from your particular situation or if your objection is directed against direct marketing.
You may exercise your right to object at any time by email.
2 Mediation of teledermatological treatment
2.1 Mediation of teledermatological treatment
2.1.1 Purposes
This processing serves the creation of a case within the webapp for dermatological consultation of users by a consulting physician user as well as the mediation of a teledermatological treatment through the webapp to a treating physician.
2.1.2 Data types
We process patient master data, mediation data and treatment data as categories of data relating to you.
2.1.3 Legal basis
The legal basis is your agreement to the webapp user contract pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR in conjunction with your explicit consent to the processing of health data pursuant to Art. 9 para. 2 subpara. 1 lit. a GDPR.
2.1.4 Necessity
The processing of the above-mentioned data relating to you is necessary for the mediation of your teledermatological treatment, i.e. for the execution of the user contract with us. If you do not provide us with the above-mentioned data relating to you, we cannot perform the user contract with you.
2.1.5 Storage period
The storage period for this processing of the above-mentioned data relating to you is until the withdrawal of your consent. We keep a deletion log for three years.
The storage period for the processing of user account data is ten years after the end of the treatment or until the withdrawal of your consent.
2.1.6 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany.
If a physician wishes to translate the above-mentioned data relating to you into your language, this data will be transmitted to DeepL SE, Maarweg 165, 50825 Cologne, Germany.
2.1.7 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in the mobile app in your account settings by deleting the user account.
2.2 Patient support
2.2.1 Purposes
This processing serves the handling of medical patient inquiries.
2.2.2 Data types
We process patient master data and treatment data as categories of data relating to you.
2.2.3 Legal basis
The legal basis is your agreement to the webapp user contract pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR in conjunction with your explicit consent to the processing of health data pursuant to Art. 9 para. 2 subpara. 1 lit. a GDPR.
2.2.4 Necessity
The processing of the above-mentioned data relating to you is necessary for the handling of your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
2.2.5 Storage period
The storage period for this processing of the above-mentioned data relating to you is until the withdrawal of your consent. We keep a deletion log for three years.
2.2.6 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany.
If patient support wishes to translate the above-mentioned data relating to you into your language, this data will be transmitted to DeepL SE, Maarweg 165, 50825 Cologne, Germany.
2.2.7 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in your account settings by deleting the user account.
2.3 Payment for teledermatological treatment
2.3.1 Purposes
This processing serves the payment of the mediation and transmission of your teledermatological treatment.
2.3.2 Data types
We process payment data and, in the case of payment via PayPal, PayPal user master data as categories of data relating to you.
2.3.3 Legal basis
The legal basis is your agreement to the webapp user contract pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR in conjunction with your explicit consent to the processing of health data pursuant to Art. 9 para. 2 subpara. 1 lit. a GDPR.
2.3.4 Necessity
The processing of the above-mentioned data relating to you is necessary for payment processing as part of the user contract concluded with us for our webapp. If you do not provide us with the above-mentioned data relating to you, your user contract with us cannot be carried out.
2.3.5 Storage period
The storage period is until the withdrawal of your consent. We keep a deletion log for three years.
2.3.6 Recipient
The above-mentioned data relating to you will be transmitted, depending on the selected payment method, to Stripe Deutschland GmbH, Stresemannstr. 123, 10963 Berlin (payment by credit card or ApplePay) or PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
2.3.7 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in your account settings by deleting the user account.
3 Product development
In order to detect skin diseases even faster and thus help future patients even better, we research artificial intelligence that supports dermatological online diagnosis.
We thank you for your support and trust when you consent to this processing. The processing of this data is carried out under strict confidentiality and the highest security requirements.
3.1 Research into AI-assisted teledermatological diagnosis
3.1.1 Purposes
This processing serves the development of an AI-assisted teledermatological treatment for faster and more effective diagnosis.
3.1.2 Data types
We process images uploaded by you and medical history data as categories of data relating to you.
3.1.3 Legal basis
The legal basis is your explicit consent to “product development” pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR in conjunction with your explicit consent to the processing of health data pursuant to Art. 9 para. 2 subpara. 1 lit. a GDPR.
3.1.4 Storage period
The storage period for this processing of the above-mentioned data relating to you is until the withdrawal of your consent. We keep a deletion log for three years.
3.1.5 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany and Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
3.1.6 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in your account settings under the item “AI development”.
3.2 Product improvement through user behavior analysis
3.2.1 Purposes
This processing serves product improvement through user behavior analysis via Mixpanel.
3.2.2 Data types
We process user behavior data such as event data, device data and demographic characteristics as categories of data relating to you.
3.2.3 Legal basis
The legal basis is your explicit consent to “product development” pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR in conjunction with your explicit consent to the processing of health data pursuant to Art. 9 para. 2 subpara. 1 lit. a GDPR.
3.2.4 Storage period
The storage period for this processing of the above-mentioned data relating to you is until the withdrawal of your consent. We keep a deletion log for three years.
3.2.5 Recipient
The above-mentioned data relating to you will be transmitted to Mixpanel Inc., 1 Front Street, 28th Floor, San Francisco, CA 94111, United States.
The above-mentioned data relating to you will be transferred to the United Kingdom and the United States as third countries with an adequacy decision pursuant to Art. 45 GDPR.
Your data will be transferred to the following third country without an adequacy decision: Singapore. The legal basis for the transfer of your data to this third country without an adequacy decision is standard contractual clauses pursuant to Art. 46 GDPR. The company provides appropriate safeguards for data protection which you can review upon request.
3.2.6 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in your account settings under the item “Product development”.
4 Marketing
4.1 Subscription to our newsletter and user behavior analysis
4.1.1 Purposes
This processing serves marketing and user behavior analysis.
4.1.2 Data types
We process your contact data (name and email address), consent data, access data and connection data, email user behavior data (event data, device data and demographic characteristics), app user profile data and the overarching category of the diagnosis made (this constitutes health data) as categories of data relating to you.
No data from your medical history forms, the images you created of your skin condition or the specific diagnosis or therapy recommendations are processed.
4.1.3 Legal basis
The legal basis for the subscription and the user behavior analysis of our newsletter is your explicit consent to the newsletter subscription and newsletter user behavior analysis pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR in conjunction with your explicit consent to the processing of health data pursuant to Art. 9 para. 2 subpara. 1 lit. a GDPR.
4.1.4 Storage period
The storage period is until the withdrawal of your consent. We keep a deletion log for three years.
4.1.5 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, Germany, our email server hoster Neue Medien Münnich GmbH, Hauptstr. 68, 02742 Friedersdorf, Germany, and our user behavior analysis service provider Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.
The above-mentioned data relating to you will be transferred to the United States and Canada as third countries with an adequacy decision pursuant to Art. 45 GDPR.
Your data will be transferred to the following third country without an adequacy decision: India. The legal basis for the transfer of your data to the above-mentioned third country without an adequacy decision is standard contractual clauses pursuant to Art. 46 GDPR. The company provides appropriate safeguards for data protection which you can review upon request.
4.1.6 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time via the unsubscribe link at the end of each newsletter.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time within the app via the account settings under “Newsletter”.
4.2 User behavior analysis
4.2.1 Purposes
This processing serves user behavior analysis.
4.2.2 Data types
We process your access data, usage data, the number of cases created by you in the webapp, data regarding your interaction with our advertisements, conversion data, your demographic data and your device data as categories of data relating to you.
4.2.3 Legal basis
The legal basis is your explicit consent to marketing analysis pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR.
4.2.4 Storage period
The storage period of Dermanostic GmbH for this processing of the above-mentioned data relating to you is
14 months for Adjust,
6 months for Meta for Business,
24 months for Meta Ads Manager,
14 months for Google Analytics (demographic data 2 months),
24 months for Google Ads tracking,
2 months for Google Firebase Crashlytics,
18 months for TikTok Pixel,
and 14 months for Apple Search Ads.
4.2.5 Recipient
The above-mentioned data relating to you will be transmitted to Adjust GmbH, Saarbrücker Str. 37a, 10405 Berlin, Germany.
The above-mentioned data relating to you will be transmitted to Google Ireland Ltd., Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
The above-mentioned data relating to you will be transmitted to Meta Platforms Ireland Limited, 4 Grand Canal Place Grand Canal Harbour, Dublin 2, Ireland and Meta Platforms Inc., 1 Meta Way, Menlo Park, California 94025, United States.
The above-mentioned data relating to you will be transmitted to TikTok Information Technologies UK Limited, 125 Kingsway, London WC2B 6NH, United Kingdom and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin D02 T380, Ireland.
The above-mentioned data relating to you will be transmitted to Apple Inc., One Apple Park Way, Cupertino, California 95014, United States.
The above-mentioned data relating to you will be transferred to the United States and the United Kingdom as third countries with an adequacy decision pursuant to Art. 45 GDPR.
4.2.6 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
You can withdraw your consent for this processing activity at any time in your account settings under the item “Marketing analysis”.
5 Data subject rights
5.1 Your rights as a data subject
You have the following rights towards us regarding the personal data concerning you:
- Right of access and to receive a copy of your data,
- Right to rectification,
- Right to erasure and to be forgotten,
- Right to restriction of processing,
- Right to object to processing,
- Right to data portability.
You also have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.
5.2 Data subject rights management
5.2.1 Purposes
This processing serves the data protection compliant handling of data subject rights.
5.2.2 Data types
We process all categories of data as categories of data relating to you.
5.2.3 Legal basis
The legal basis is Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Chapter III GDPR.
5.2.4 Necessity
The processing of the above-mentioned data relating to you is necessary for the fulfillment of our legal obligations.
5.2.5 Storage period
The storage period is three years.
5.2.6 Recipient
The above-mentioned data relating to you will be transmitted to our external data protection officer.
5.3 Withdrawal of Consent
Where we base the processing of your personal data on your consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, you may withdraw this consent at any time with effect for the future. In the event of withdrawal, we will no longer continue the processing based on that consent for the respective purpose. The lawfulness of the processing carried out up to the time of withdrawal remains unaffected.
Withdrawal may result in certain functions or services of the app no longer being available or being available only to a limited extent (e.g., push notifications, marketing analytics, newsletters, or product development features). Processing activities based on other legal grounds (e.g., statutory retention obligations or performance of a contract) remain unaffected.
5.4 Right to Object to Processing pursuant to Art. 21 GDPR
Subject to statutory exceptions, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) or (f) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
Where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. This also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.