Privacy Policy, Curalie App
Last updated: 27/10/2022
Your privacy is important to us. We process your personal data in various contexts if you use the Curalie app (“App”). In the process, we respect your right to data protection, your privacy, and your other rights and freedoms.
1. Controller’s name and contact details
The controller responsible for the data processing described in this privacy policy is:
Curalie GmbH
Leipziger Straße 61 A
10117 Berlin, Germany
e-mail: info@curalie.com
Phone: +49 30 549 071 27
In addition, your personal data may also be processed by other controllers in the course of your use of the App. These controllers may be the relevant healthcare institution with which you are in treatment and that uses the App for the digital treatment, third-party providers of programs offered within the App, or cooperation partners.
Please note that Curalie GmbH, the relevant healthcare institutions, and any third-party providers of programs and cooperation partners act in the course of these activities as separate controllers in principle. You are welcome to contact Curalie GmbH on all matters concerning data protection and/or privacy.
2. Data protection officer contact details
The data protection officer can be reached at the above address, Attn.: Data Protection Officer, or at dataprotection@curalie.com.
3. Content, scope, purposes and legal bases of processing of personal data
As a basic principle, there is no contractual or statutory obligation to provide the data described below. However, please note that if you do not do so, we may not be able to provide the features of the App, or we may be able to do so only with limitations.
3.1 Downloading the App from the app store
When you install the App, you may be required to enter into a use agreement with an app store operator (such as Google or Apple) regarding access to that operator’s portal.
This access requires a valid account with the operator of the app store and an appropriate device (such as a smartphone), and Curalie GmbH has no influence over the processing of data in conjunction with your access to and use of the app store. In this regard, the sole controller responsible for this data processing is the relevant app store operator. Please obtain information directly from the app store operator regarding the details of its processing of data.
3.2 Registering to use the App
Registration is required in order to use the App. During the registration process, identification and communication information will be processed to create a user account and authenticate you personally. This information includes:
- Last name and first name
- Sex
- Date of birth
- Country
- Mobile phone number
- E-mail address
The processing of this data serves to provide the user account and for purposes of unique identification of the user. The latter is a prerequisite for the use of the App. Smartphone verification via code sent by text message is also required for security reasons.
In addition, some information about how you want to use the App may be collected during registration. For example, you may be asked whether you want to use the App more as a “lifestyle app” or with regards to its strictly health oriented features. This data is processed, to suggest particularly relevant features and content specifically for you in the App.
The data is processed on the basis of statutory provisions that permit data processing because it is necessary in order to provide the App and perform the use agreement entered into in this regard toward the user and – to the extent that health data are processed to this end – on the basis of the consent granted by the user. This consent is necessary in order to use the App.
3.3 Health Diary
Your personal Health Diary forms the basis for using the App as well as the services and content offered in the App. It especially serves to compile information about your health depending on your use of the App.
Your Health Diary containsthe following information:
| General personal details | Name, first name, sex, date of birth, country |
| Contact details | E-mail address, mobile phone number |
| Billing details | Address, insurance and insurance number |
| General health data | Information of general relevance to you health, which you may have measured yourself (e.g. with so-called health wearables) and recorded in your entries or transferred there via GoogleFit/AppleHealth or which you have provided during your other use of the App: weight, height, waist measurement, steps and activity |
| Medical data / vital signs | Information of medical relevance to your health, which you may have measured yourself with Appropriate medical devices and recorded in your entries or transmitted there via GoogleFit/AppleHealth or which you have provided during your other use of the App: blood pressure, pulse, blood sugar |
| Symptoms | Symptoms that you have recorded yourself in your entries or that you have provided during your other use of the App, such as fever, pain, dizziness or similar |
| Medication | Medication and interventions that are prescribed to you in the course of treatment or that you yourself have recorded in your entries or provided during your other use of the App |
| Health-Check | Information from the Health-Check about your current state of health This includes various information that is general health data and medical data / vital signs (as described above) In addition, the data from the Health-Check also contains further information about your behavior (tobacco and alcohol consumption, diet), specific health factors (psychological risk factors such as stress, depression or anxiety disorder, sleep problems) and disease risks (namely diabetes and heart attack, including relevant previous illnesses and family medical history), as well as the health check’s advice and tips. |
| Tele-Doctor Anamnesis | Information from the Tele-Doctor that you provide about your health as part of the anamnesis-questionnaire This includes various information that is general health data (e.g. weight and height and the BMI calculated from this), medication and symptoms (as described above) Furthermore, the data from the Tele-Doctor also contains additional questions, for example about a possible pregnancy, side effects of your medication, your behaviour (consumption of tobacco, alcohol and other addictive substances) and your medical history (illnesses or allergies, operations and chronic illnesses in the family). |
| Documents | Documents that you or the treating healthcare institution upload in the document upload, e.g. doctor’s letters, findings, diagnoses, information about medical procedures or interventions. |
| Program data | Information from programs offered through the App that you participate in, e.g. participation itself, exercises done, program content viewed, answers from program-specific questionnaires/ PROMs, etc. For individual programs, information about symptoms (as described above) can also be provided. |
The data is processed on the basis of the consent granted by you in the course of registering for the App or when using additional features (namely booking and attending a video consultation, as the case may be. The consent granted in the course of registering is required for the general use of the App, and the consent relating to specific features is required for the use of the relevant feature.
If you consent separately, the data from your Health Diary may also be used by third parties, such as third-party providers of programs (see Sec.3.8) or the treating healthcare institution (see Sec. 3.9).
3.4 Basic featuress of the App, patient surveys
The App offers various basic features that you can use to record data, particularly data relating to your health. This information includes:
- 3.6) and prepare by collecting various information about your health for the treating healthcare institution through an anamnesis-questionnaire The Symptom-Check (see Sec. 3.5)
3.5 Symptom-Check
As part of the basic features of the App, you can use the “Symptom-Check” application to identify which symptoms you are experiencing, what the possible causes might be, and whether or to what extent medical care is necessary. The processing activity consists of the following processing steps in detail:
(a) Collection of information about your health
The Symptom-Check collects information about your health, including certain personal details (age, sex), general risk factors (overweight, high blood pressure, smoking, injuries, pregnancy), and information on your acute symptoms. At the start, the personal details about you are accessed from your Health Diary. After that, you answer a number of questions about your health. The first questions concern general risk factors that have fundamental relevance for your health. The other questions relate to potential further risk factors and acute symptoms you are experiencing. The questions asked are adjusted to you individually depending on what information has already been collected about you, including your responses to previous questions.
(b) Analysis of information collected
The information collected in this way about your health is automatically analyzed in the Symptom-Check. This is done first to select which questions to ask you. As the next step, the overall analysis aims to determine the likelihood that you are experiencing certain health-related conditions (such as illness or injury). This is then used as the basis for the final stage, in which you are shown suggestions regarding the urgency of seeking medical treatment and a possible diagnosis.
(c) Disclosure of information from the Symptom-Check to treating physicians
Curalie GmbH saves the information from the Symptom-Check, both your answers to the questions and the suggestions made based on the analysis. If you book a video consultation using the App, this information may be disclosed to the treating healthcare institution and the treating physicians / nursing staff involved in the specific case (see Sec. 3.6). The treating healthcare institution can use the information to prepare for the subsequent discussion of your medical history with you as well as in the context of your further treatment.
This processing of your data described under (a) and (b) takes place on the basis of your consent given during registration, the processing described under (c) on the basis of the separate consent for the video consultation. Consent is required in order to use the Symptom-Check and to book a video consultation, respectively.
3.6 Video consultation
You can book a video consultation in the App, with Curalie Health Ltd., P.O Box 1730 Sarit Centre, Kenya (“Curalie Health Ltd.”) as treating healthcare institution. When you do this, Curalie GmbH and Curalie Health Ltd. will process your data, including your health data, as follows:
(a) Processing during the booking process
During the booking process, information on the appointment itself and the treating physician are processed, along with your contact details (name, e-mail, and address) and insurance information (such as your insurance number) in order to enable the scheduling of an appointment and the subsequent billing for the video consultation. If this data is not already stored in your Health Diary, it will be collected for the first time within the scope of the booking process and then stored in your Health Diary for future processing. For this step of the processing, Curalie GmbH will be the data controller. If you confirm the appointment, the data from the booking process will be transmitted to Curalie Health Ltd.
(b) Processing to medically prepare and conduct the video consultation
When you book a video consultation, Curalie Health Ltd. and the treating physicians / nursing staff will be granted access to your personal data from the App, including health data. This encompasses the data stored as part of your Health Diary (including data from a Health-Check you may have done before the booking and from the anamnesis-questionnaire you can fill out after the booking). It also comprises information you may have provided before booking the video consultation in the course of a Symptom-Check (see Sec. 3.5). This data is then further processed by Curalie Health Ltd. to medically prepare and conduct the video consultation. Curalie GmbH is not involved with the medical advice and corresponding processing of your data. Rather, Curalie Health Ltd. alone will be the controller for this.
(c) Processing during the video consultation
The technical realization of the video consultation takes place on the platform “CuraMeet” that is operated by Curalie GmbH and which you can reach via the App. During the video consultation, Curalie GmbH processes the content generated during the video consultation, such as audio, video, chat content, and transcriptions, but we only do so for the technical implementation of the video consultation.
(d) Processing after the documentation has been transferred to the App
After the video consultation, the treating physicians / nursing staff can import data from the video consultation (in particular the information noted for the consultation’s documentation) as well as from your further treatment – if applicable – to the App, where it will be stored in the document upload as part of your Health Diary. Curalie GmbH then processes this data as sole controller as described above under 3.3.
Conversely, your data from the App may be processed for a subsequent treatment by Curalie Health Ltd. The treating physicians / nursing staff may also use the chat and calendar features of the App for further coordination and communication with you or use the document upload feature to upload documents from the video consultation or your other treatment; in this case, your personal data (calendar entries, chat messages, content of the documents) will be processed as well.
3.7 Call-back service
As an alternative to the video consultation which can only be reached via the App, you can also access tele-medical treatment without Internet access. To this end, you can book a call-back service. Booking requires that a USSD code is entered in your phone menu. The USSD code consists of numbers, pound signs, and asterisks. It is activated using the dial function. You can then make an appointment with a doctor for a phone consultation and conclude your booking by paying via M-PESA. Afterwards, you will receive a notice that your booking has been successful.
We process your personal data in this context on behalf of, and on the instructions of Curalie Health Ltd. In this regard, Curalie Health Ltd. is the sole controller. The processing of data is based your consent given when booking the consultation through USSD. For details, see the separate privacy policy for the Call-back service available on kenya.curalie.com.
3.8 Participation in programs
The programs are available for activation in the programs section of the App. These informational and prevention programs serve to help users maintain their health, live a healthy lifestyle, and cope with common illnesses and diseases.
Depending on the program, the user is provided with various content having to do with the topic of health, including things like informational articles, physical activities / relaxation exercises, and recipes. In principle, Curalie App users only consume content within the scope of the free programs; no collection of program-specific data occurs beyond that. In individual cases, symptoms may be recorded as well, as described in Sec. 3.4 above. Additionally, data may be collected through patient surveys (so called PROMs), which is described in Sec. 3.3 above.
3.9 Adding treating healthcare institutions
You can add healthcare institutions where you in treatment as treating healthcare institutions in the App. When you do this, the healthcare institution is able to use the App within the scope of your treatment. To this end, the healthcare institution and/or the physicians / nursing staff who work there receive access to your Health Diary and the data stored there. In turn, the healthcare institution and/or the physicians / nursing staff who work there can also add data to your Health Diary and store this information there.
3.10 Usage data
We also process usage data every time the App is accessed. This namely includes the following data:
- Device’s current language settings
- Information on the user’s Internet service provider
- IP (Internet Protocol) address of the device accessing the App
- Date and time of retrieval
- Device ID (e.g., UDID, to identify your device or devices as part of secure authentication)
- User ID on the Curalie platform
- Session ID number
We erase or anonymize the use data, including the IP addresses, without undue delay as soon as they are no longer needed for the aforementioned purposes.
In addition, the following usage data is stored in the login data sets for a maximum of seven days each time a user logs in for purposes of identifying and investigating abuse:
- Date and time of login
- User ID on the Curalie platform.
The data is processed on the basis of statutory provisions that permit the data processing, because it is necessary in order to provide the App to the user in technical terms or because we have a legitimate interest in ensuring the security and functionality of the App and the proper use thereof, without there being an overriding interest on the part of the data subject that conflicts with this.
3.11 Data processing for customer support
If you contact us as a customer in case of problems or questions, we process your contact details (particularly your name, e-mail address, and mobile phone number) to be able to respond to your concern. To this end, we store and process your data.
In this case, your personal data is processed because we have a legitimate interest in supporting our customers in using our products and being able to offer them support and – to the extent that health data is processed to this end – on the basis of the consent granted by the user. This consent is necessary in order to use the App.
3.12 Improvements to the App and programs
If you have granted us your separate consent to this, we moreover use your data to improve the features of the App and further develop it to be more user-friendly or more advanced from a medical standpoint. This also serves the purpose of continuously ensuring that we can offer the app in a secure way. Beyond that, the data may be used to evaluate and improve programs, including the way they work together.
3.13 Use analysis
We analyze data aggregated across all users on the manner in which the App is used (e.g., frequency of use of individual features, issues with user guidance, etc.). We use only technologies operated by Curalie GmbH to analyze this data. This data is processed on the basis of statutory provisions that permit the processing of data because we have a legitimate interest in better understanding the use of the service, without there being an overriding interest on the part of the data subject that conflicts with this. Your health data is not affected by this.
4. Possible recipients of your data
In addition to the other scenarios explicitly described in this privacy policy, your personal data are disclosed without your express prior consent only in the following cases:
4.1 Employees of Curalie GmbH
The primary recipients of your data are the employees of Curalie GmbH.
4.2 Providers of features in the App
In addition to the programs described above, certain further features may be offered by third parties in the App. If you use these features, we will share your data with the relevant provider of the feature, but only if you have granted express prior consent separately to the processing of your data for the feature in question.
4.3 Curalie Health Ltd. and its employees
If you wish to use the video consultation, we transfer certain data from your Health Diary (see Sec. 3.3), that you wish to provide the treating physician / nurse with to Curalie Health Ltd. You have full control over your data and can decide for yourself for which disclosure you wish to grant consent. Please note that holistic treatment offers the best prospects of success. We ensure that the employees of Curalie Health Ltd. have also undertaken an obligation to maintain confidentiality and the secrecy of your data.
4.4 Law enforcement agencies and injured third parties; further government agencies
If necessary to investigate an unlawful or abusive use of the service or for purposes of asserting rights, personal data may be forwarded to law enforcement agencies and, where applicable, to injured third parties. However, this takes place only if and when there are concrete indications of unlawful or abusive behavior. Disclosure may also occur if this serves to enforce terms of use or other agreements. Our legitimate interest in data processing in this case lies in ensuring the proper functioning of our website and the service and, where applicable, establishing, exercising, or defending against legal claims.
We may also be legally obligated to provide information in response to inquiries from certain public bodies, including law enforcement agencies, government agencies that impose fines for regulatory offenses, and fiscal authorities.
4.5 Service providers as data processors
4.6 To provide the features as described in this privacy policy, we occasionally rely on third-party companies and external services providers, which may be based outside the EU or the EEA, for example to host our services (e.g., “CuraMeet”). We select these external service providers carefully and review them regularly to ensure that your privacy is safeguarded, and they are not permitted to use the data except for the purposes stipulated by us. They moreover undertake a contractual obligation toward us to treat your data exclusively in accordance with this privacy policy and EU data protection and privacy laws. Where the matter concerns a body outside the EU or the EEA, we ensure an appropriate level of data protection.Affiliates / corporate transformations
As our business evolves, the structure of our company may transform by changing our legal form or establishing, acquiring, or selling subsidiaries or parts or elements of our company. In the case of transactions like these, we may disclose your data together with the part of the company that is being transferred. Each time we disclose personal data to third parties within the scope described above, we ensure that this takes place in compliance with this privacy policy and the relevant data protection and privacy laws.
5. Your rights as a data subject
As a data subject whose personal data are being processed, you have the following rights in particular:
- Right of access to information: You have the right to access information on the personal data concerning you.
- Right of rectification: You have the right to have inaccurate personal data concerning you rectified or incomplete personal data concerning you completed.
- Right of erasure: You can also obtain from us the erasure of your personal data, for example if your data are no longer required for the purposes for which they were collected or otherwise processed.
- Right to restriction of processing: You moreover have the right to obtain from us the restriction of processing of your personal data; in such a case, the data will be blocked from any and all processing. This right applies in particular if there is any dispute between us concerning the accuracy of the personal data.
- Withdrawal of consent: You have the right to withdraw your consent at any time – for example via the contact channels mentioned in Sec. 1 and 2 above – with effect for the future. Should you wish to exercise this right, please note that the lawfulness of data processing that has already occurred is not affected. In addition, if you withdraw consent, certain features of the App may be unavailable, or you may be unable to use the App or participate in programs at all.
Withdrawal of consent for certain features has the consequence that the relevant healthcare institution and, where applicable, third-party provider of the feature no longer will have any access to your Health Diary.
- Right to data portability: Where we process your personal data to perform a contract with you or on the basis of your consent, you also have the right to receive your personal data in a structured, commonly used and machine-readable format to the extent that you have provided the data to us.
- Right to object: Furthermore, you can object to the processing of data for reasons arising from your particular situation. However, this applies only in cases in which we process data to fulfill a legitimate interest of Curalie GmbH or a third party. If you can present that there is such a reason and we cannot assert any compelling legitimate interest in continuing the processing, we will no longer process these data for the purpose in question.
If you wish to assert any of your rights as a data subject with regard to personal data processed under our responsibility as the controller or have any questions regarding data protection and/or privacy within our organization, you can contact us using the contact channels mentioned in Sec. 1 and 2 above. After your inquiry has been answered conclusively, we will erase your inquiry three years after the end of the relevant calendar year.
In the event that you wish to assert your rights as a data subject toward third-party providers or cooperation partners, you can contact these entities at any time to do so. For means of contacting your healthcare institution, please see the healthcare institution’s data protection and privacy information.
Finally, you have the right to lodge a complaint with a data protection supervisory authority concerning our processing of personal data. The supervisory authority with jurisdiction over Curalie is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin, phone: +493013889-0.
6. Duration of storage of data
Unless otherwise described in this privacy policy, we erase personal data in principle when the purpose for storage thereof no longer applies. There may be an ongoing purpose, in particular, if the data is still needed in order to provide contractual services or to be able to review and abide by or defend against warranty and, where applicable, guarantee claims. Subject to statutory or contractual obligations of retention, we erase data processed on the basis of consent in principle as soon as you withdraw the respective consent. We check at regular intervals whether the purpose of storage has ceased to apply or retention remains necessary.
In the case of statutory retention obligations, which may apply for a period of ten to 30 years in the case of health data, such data will not be erased until after the relevant retention period has elapsed. In this case, we archive these data sets and restrict any further processing.
7. Updates
We reserve the right to adjust the content of this privacy policy at any time. This typically occurs when the services used are further developed or adjusted. You can view the current privacy policy in the App.