Privacy policy
The protection of your personal data is not only of great concern to you, but also to us, the persons jointly responsible for the app "dermanostic" (hereinafter "we", "us"). We appreciate your trust that we will handle your personal data conscientiously and in accordance with the law. Your data will be treated confidentially by us.
With this data protection notice, we not only wish to comply with our legal obligation under Articles 13 and 14 of the German Data Protection Regulation (DS-GVO), but also to provide you with an understandable description of what personal data is collected when you visit our website and how we handle it.
Controller
Responsible for processing in accordance with Art. 24 GDPR is
Dermanostic GmbH Merowingerplatz 1 40225 Düsseldorf
You can contact the controller with your concerns at any time using the contact details above or by e-mail to datenschutz@dermanostic.com.
Contact details of the data protection officer
You can contact the data protection officer of the controller by sending an e-mail to datenschutzbeauftragter@dermanostic.com.
1 Use of the Website
1.1 Provision of the Website
1.1.1 Purposes
This processing serves the external presentation of our company.
1.1.2 Data types
We process connection data (access data and device data) as categories of data relating to you.
1.1.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
1.1.4 Necessity
The processing of the above-mentioned data relating to you is necessary for contacting us. If you do not provide us with the above-mentioned data relating to you, we will not be able to display our website.
1.1.5 Storage period
The storage period is the duration of the browser session.
The storage period by YouTube is, if you are logged into a Google account, until the data is deleted within the account by the user or until the entire Google account is deleted by the user, and two years for technically necessary cookies.
If you are not logged into a Google account, the data will be stored until the YouTube search history and playback history are deleted, and two years for technically necessary cookies.
1.1.6 Recipient
The above-mentioned data relating to you will be transmitted to DigitalOcean LLC, 105 Edgeview Drive, Ste. 425, Broomfield, CO 80021, USA.
The above-mentioned data relating to you will be transmitted to Alphabet, Inc., 901 Cherry Ave., San Bruno, CA 94066, USA.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
1.2 Website Security
1.2.1 Purposes
This processing serves to ensure the smooth operation of the website.
1.2.2 Data types
We process connection data (access data and device data) and your system information as categories of data relating to you.
1.2.3 Legal basis
The legal basis is our legal obligation to ensure the secure processing of personal data pursuant to Art. 6 para. 1 subpara. 1 lit. c in conjunction with Art. 24 and 32 GDPR.
1.2.4 Storage period
The storage period is 30 days.
1.2.5 Recipient
The above-mentioned data relating to you will be transmitted to Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107 USA.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
1.3 Consent Management
1.3.1 Purposes
This processing serves the management and documentation of your consents.
1.3.2 Data types
We process consent data as data relating to you.
1.3.3 Legal basis
The legal basis is our obligation to provide proof pursuant to Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Art. 5 para. 2 and Art. 7 para. 1 GDPR.
The storage of technically necessary cookies on your device for managing and documenting your consent is based on Art. 5 para. 2 GDPR in conjunction with Art. 6 para. 1 subpara. 1 lit. c GDPR and § 25 para. 2 no. 2 TTDSG.
1.3.4 Necessity
The processing of the above-mentioned data relating to you is necessary for fulfilling our legal obligations.
1.3.5 Storage period
The storage period is until you withdraw your consent. To fulfill our obligation to provide proof, we keep a deletion log for three years.
1.3.6 Recipient
The above-mentioned data relating to you will be transmitted to DigitalOcean LLC, 105 Edgeview Drive, Ste. 425, Broomfield, CO 80021, USA.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
2 Employee Program
2.1 Registration for the Employee Program
2.1.1 Purposes
This processing serves the user management of the employee program.
2.1.2 Data types
We process your email address and access data as categories of data relating to you.
2.1.3 Legal basis
The legal basis is your explicit consent to the employee program pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR.
2.1.4 Storage period
The storage period is until you withdraw your consent. We keep a deletion log for three years.
2.1.5 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, and our email server host Neue Medien Münnich GmbH, Hauptstr. 68, 02742 Friedersdorf.
2.1.6 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time via email to datenschutz@dermanostic.com.
You can also withdraw your consent in your account settings under “Employee Program” by deleting the registration code.
3 Contact
3.1 Contacting us by phone and email
3.1.1 Purposes
Processing via telephone and email serves to respond to inquiries as well as customer acquisition, contract processing, press/data protection inquiries and user and patient support.
Processing via appointment booking in the calendar serves to respond to inquiries as well as customer acquisition and contract processing.
3.1.2 Data types
We process your contact data and the content of your request as categories of data relating to you.
3.1.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
3.1.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
3.1.5 Storage period
The storage period is six months unless a contract has been concluded. Contract-related data will then be stored in accordance with the respective legal regulations.
3.1.6 Recipient
When contacting us by email, the above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, and our email server host Neue Medien Münnich GmbH, Hauptstr. 68, 02742 Friedersdorf.
If your inquiry is addressed to our sales department, the above-mentioned data relating to you will be transmitted to Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia.
4 Marketing
4.1 User behavior analysis
4.1.1 Purposes
This processing serves the analysis of user behavior and the use of personalized and non-personalized advertising as well as the personalization of advertisements.
4.1.2 Data types
We process your connection data (access and device data), your usage data, data relating to your interaction with our advertisements, your demographic data, your unique advertising identifier and your unique device identifier as categories of data relating to you.
Cookies and mobile advertising IDs are used by Google for both personalized and non-personalized advertising.
4.1.3 Legal basis
The legal basis is your explicit consent to the marketing analysis pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR.
4.1.4 Storage period
The storage period of Dermanostic GmbH for this processing of the above-mentioned data relating to you is
for Google Analytics 14 months (demographic data 2 months),
for Google Ads tracking 24 months,
for Meta Pixel 24 months,
for Meta for Business 6 months,
for Meta Ads Manager 24 months,
for Microsoft Advertising 180 days,
for Pinterest Advertising 6 months,
for Spotify Ads 180 days,
for X Advertising 6 months,
and for LinkedIn Insight Tag 180 days.
4.1.5 Recipient
The above-mentioned data relating to you will be transmitted to Google LLC, 1600 Amphitheatre Pkwy., Mtn. View, CA 94043, USA.
If you give your consent, your personal data will also be processed by Google for the personalization of advertisements. Information on how Google uses your data can be found here:
https://business.safety.google/privacy/
The above-mentioned data relating to you will be transmitted to Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland and Meta Platforms Inc., 1 Meta Way, Menlo Park, California 94025, United States.
The above-mentioned data relating to you will be transmitted to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
The above-mentioned data relating to you will be transmitted to Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
The above-mentioned data relating to you will be transmitted to Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden and Spotify USA Inc., 150 Greenwich Street, Floor 62, New York, NY 10007, USA.
The above-mentioned data relating to you will be transmitted to X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland and X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
The above-mentioned data relating to you will be transmitted to LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland and LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
4.1.6 Your right to withdraw your consent
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time at https://dermanostic.com/datenschutz.
You can withdraw your consent for this processing activity at any time by email to datenschutz@dermanostic.com.
4.2 Registration for our newsletter and user behavior analysis
4.2.1 Purposes
This processing serves marketing and user behavior analysis.
4.2.2 Data types
We process your email address, your access data, email user behavior data, your device data, your connection data, your consent data and the number of cases you submit in the app as categories of data relating to you.
4.2.3 Legal basis
The legal basis for registering for our newsletter is your explicit consent to the newsletter subscription pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR.
The legal basis for user behavior analysis is Art. 6 para. 1 subpara. 1 lit. f GDPR. Our legitimate interest is marketing analysis.
4.2.4 Storage period
The storage period is until you withdraw your consent. We keep a deletion log for three years.
4.2.5 Recipient
The above-mentioned data relating to you will be transmitted to Telekom Deutschland GmbH, Landgrabenweg 149, 53227 Bonn, and our email server host Neue Medien Münnich GmbH, Hauptstr. 68, 02742 Friedersdorf.
4.2.6 Your right to withdraw your consent (Newsletter registration)
You have the right to withdraw your consent at any time with effect for the future. The legality of the processing carried out on the basis of your consent before the withdrawal remains unaffected.
You can withdraw your consent for this processing activity at any time via the unsubscribe link at the end of every newsletter.
You can withdraw your consent for this processing activity at any time by email.
You can withdraw your consent for this processing activity at any time within the app via the account settings under “unsubscribe newsletter”.
4.2.7 Your right to object (User behavior analysis)
Pursuant to Art. 21 GDPR you have the right to object to the above-described processing of data relating to you if there are reasons arising from your particular situation or if your objection is directed against direct marketing.
You may exercise your right to object at any time by email to datenschutz@dermanostic.com.
5. Social media presences
5.1 Facebook presence
5.1.1 Purposes
This processing serves the external presentation of our company.
5.1.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.1.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.1.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.1.5 Storage period
With a registered account, the storage period is until the data within the account is deleted by the user or until the entire account is deleted by the user, and technically necessary cookies are stored for up to 5 years. Without a registered account, technically necessary cookies are stored for up to 5 years.
5.1.6 Recipient
The above-mentioned data relating to you will be transmitted to Meta Platforms Ireland Limited, 4 Grand Canal Place, Grand Canal Harbour, Dublin 2, Ireland and Meta Platforms Inc., 1 Hacker Way, Menlo Park, California 94025, USA and to Agorapulse SAS 35, Bd de Sébastopol 75001 Paris, France.
5.1.7 Learn more about shared responsibility
Further information can be found here:
https://www.facebook.com/legal/terms/page_controller_addendum
Information on the processing of Page Insights data can be found here:
https://www.facebook.com/legal/terms/information_about_page_insights_data
5.2 Instagram presence
5.2.1 Purposes
This processing serves the external presentation of our company.
5.2.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.2.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.2.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.2.5 Storage period
With a registered account, the storage period is until the data within the account is deleted by the user or until the entire account is deleted by the user, and technically necessary cookies are stored for up to 5 years. Without a registered account, technically necessary cookies are stored for up to 5 years.
5.2.6 Recipient
The above-mentioned data relating to you will be transmitted to Meta Platforms Ireland Limited, 4 Grand Canal Place, Grand Canal Harbour, Dublin 2, Ireland and Meta Platforms Inc., 1 Hacker Way, Menlo Park, California 94025, USA and to Agorapulse SAS 35, Bd de Sébastopol 75001 Paris, France.
5.2.7 Learn more about shared responsibility
https://www.facebook.com/legal/terms/page_controller_addendum
https://www.facebook.com/legal/terms/information_about_page_insights_data
5.3 LinkedIn presence
5.3.1 Purposes
This processing serves the external presentation of our company.
5.3.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.3.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.3.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.3.5 Storage period
With a registered account, the storage period is until the account is deleted by the user and technically necessary cookies are stored until they are deleted by the user or the browser.
Without a registered account, technically necessary cookies are stored until they are deleted by the user or the browser.
5.3.6 Recipient
The above-mentioned data relating to you will be transmitted to LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland and LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA and to Agorapulse SAS 35, Bd de Sébastopol 75001 Paris, France.
5.3.7 Learn more about shared responsibility
5.4 Pinterest presence
5.4.1 Purposes
This processing serves the external presentation of our company.
5.4.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.4.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.4.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.4.5 Storage period
The storage period is until the data within the account is deleted by the user or until the entire account is deleted by the user. Session cookies are stored until the browser session ends and persistent cookies until they are deleted in the browser by the user.
5.4.6 Recipient
The above-mentioned data relating to you will be transmitted to Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
5.5 TikTok presence
5.5.1 Purposes
This processing serves the external presentation of our company.
5.5.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.5.3 Legal basis
The legal basis of Dermanostic GmbH is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.5.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.5.5 Storage period
The storage period is 18 months.
5.5.6 Recipient
The above-mentioned data relating to you will be transmitted to TikTok Information Technologies UK, 125 Kingsway, London WC2B 6NH, United Kingdom, TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and to Agorapulse SAS 35, Bd de Sébastopol 75001 Paris, France.
The above-mentioned data relating to you will be transferred to the United Kingdom and South Korea as third countries with an adequacy decision pursuant to Art. 45 GDPR.
Your data will be transferred to the following third countries without an adequacy decision: USA, Singapore and Russia. The legal basis for the transfer of your data to the above-mentioned third countries without an adequacy decision is standard contractual clauses pursuant to Art. 46 GDPR. The company provides appropriate safeguards for data protection, which you can review upon request.
5.5.7 Learn more about shared responsibility
We have concluded an agreement on joint controllership with TikTok Information Technologies UK, 125 Kingsway, London WC2B 6NH, United Kingdom and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.
According to this agreement, the company assumes the fulfillment of transparency obligations and you can find out more about the processing of your personal data here:
https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms
5.6 X presence
5.6.1 Purposes
This processing serves the external presentation of our company.
5.6.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.6.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.6.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.6.5 Storage period
With a registered account, the storage period is until the data within the account is deleted by the user or until the entire account is deleted by the user, and technically necessary cookies are stored for up to 13 months. Without a registered account, technically necessary cookies are stored for up to 13 months.
5.6.6 Recipient
The above-mentioned data relating to you will be transmitted to X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
The above-mentioned data relating to you will be transferred to the USA and Japan as third countries with an adequacy decision pursuant to Art. 45 GDPR.
5.6.7 Learn more about shared responsibility
We have entered into a joint controllership agreement with X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA:
https://gdpr.twitter.com/en/controller-to-controller-transfers.html
According to this agreement, the company assumes the fulfillment of transparency obligations and you can find out more about the processing of your personal data here:
5.7 Spotify presence
5.7.1 Purposes
This processing serves the external presentation of our company.
5.7.2 Data types
We process the content of your request, your user data and the date of communication as categories of data relating to you.
5.7.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.7.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.7.5 Storage period
With a registered account, the storage period is until the data within the account is deleted by the user or until the entire account is deleted by the user, and technically necessary cookies are stored until they are deleted by the user or the browser.
Without a registered account, technically necessary cookies are stored until they are deleted by the user or the browser.
5.7.6 Recipient
The above-mentioned data relating to you will be transmitted to Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden and Spotify USA Inc., 150 Greenwich Street, Floor 62, New York, NY 10007, USA.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
5.8 YouTube channel
5.8.1 Purposes
This processing serves the external presentation of our company.
5.8.2 Data types
We process audio and audiovisual content as categories of data relating to you.
5.8.3 Legal basis
The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.
5.8.4 Necessity
The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we will not be able to process your request.
5.8.5 Storage period
The storage period is until the YouTube channel is deleted.
5.8.6 Recipient
The above-mentioned data relating to you will be transmitted to Alphabet Inc., 901 Cherry Ave., San Bruno, CA 94066, USA and to Agorapulse SAS 35, Bd de Sébastopol 75001 Paris, France.
The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.
6 Data Subject Rights
6.1 Your rights as a data subject
You have the following rights regarding the personal data relating to you:
- the right of access pursuant to Art. 15 GDPR
- the right to rectification pursuant to Art. 16 GDPR
- the right to erasure pursuant to Art. 17 GDPR
- the right to restriction of processing pursuant to Art. 18 GDPR
- the right to data portability pursuant to Art. 20 GDPR
- the right to object pursuant to Art. 21 GDPR
You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data relating to you violates the GDPR pursuant to Art. 77 GDPR.
6.2 Data subject rights management
6.2.1 Purposes
This processing serves the data protection compliant handling of data subject rights.
6.2.2 Data types
We process all categories of data as categories of data relating to you.
6.2.3 Legal basis
The legal basis is Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Chapter III GDPR.
6.2.4 Necessity
The processing of the above-mentioned data relating to you is necessary for fulfilling our legal obligations.
6.2.5 Storage period
The storage period is three years.
6.2.6 Recipient
The above-mentioned data relating to you will be transmitted to our external data protection officer.
6.3 Withdrawal of Consent
Where we base the processing of your personal data on your consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, you may withdraw this consent at any time with effect for the future. In the event of withdrawal, we will no longer continue the processing based on that consent for the respective purpose. The lawfulness of the processing carried out up to the time of withdrawal remains unaffected.
Withdrawal may result in certain functions or services of the app no longer being available or being available only to a limited extent (e.g., push notifications, marketing analytics, newsletters, or product development features). Processing activities based on other legal grounds (e.g., statutory retention obligations or performance of a contract) remain unaffected.
6.4 Right to Object to Processing pursuant to Art. 21 GDPR
Subject to statutory exceptions, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) or (f) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
Where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. This also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.