Home » Portal Privacy Policy

Privacy Policy, Curalie Portal

Last updated: 19.07.2022

Your privacy is important to us. We process your personal data in various contexts if you use our Curalie Web application (the “Curalie Portal”). In the process, we respect your right to data protection, your privacy, and your other rights and freedoms. Pursuant to Articles 12 et seqq. of the EU General Data Protection Regulation (GDPR), you have a right to be notified by us regarding the processing of your personal data. With this in mind, we ask that you take the time to read this privacy policy carefully.

This privacy policy applies to the processing of personal data of healthcare institutions (if these are natural persons, such as a physician in private practice) or of employees of healthcare institutions who use the Curalie Portal within the scope of their employment with the healthcare institution.

1 Controller’s name and contact details

As a basic principle, the following is the controller responsible for the data processing described in this privacy policy:

Curalie GmbH, Leipziger Straße 61 A, 10117 Berlin, Germany

e-mail: info@curalie.com
Phone: +49 30 549 071 27   

In addition, your personal data may also be processed by other controllers in the course of your use of the Curalie Portal. These may be third-party providers of programs offered within the Curalie Portal. Where your data are processed by one of these further controllers in the course of your use of the Curalie Portal, we will notify you accordingly within the scope of this privacy policy with regard to the relevant data processing operations.

Unless otherwise described in this privacy policy, Curalie GmbH and any third-party providers of program act in the course of these activities as separate controllers in principle.

2 Data protection officer contact details

The data protection officer of Curalie GmbH can be reached at the above address, Attn.: Data Protection Officer, or at dataprotection@curalie.com.

3 Content, scope, purpose and legal basis of processing of personal data

3.1 Registration in the Curalie Portal

The use of the Curalie Portal requires registration beforehand. During the registration process, identification and communication information will be processed to create a user account and authenticate you personally. This information includes:

  • Last name and first name
  • Sex
  • e-mail address
  • Mobile phone number
  • Password (randomly generated)

The processing of these data serves to provide the user account and for purposes of unique identification of the user.

These data are processed on the basis of statutory provisions that permit data processing because it is necessary in order to provide the Curalie Portal to you (point (b) of Article 6(1) GDPR).

3.2 Programs

Where you interact with your patients within the scope of programs offered by Curalie GmbH or third parties via the Curalie Portal, your user account is linked to the relevant account for that patient within the program. Tracking also takes place when you enter certain information within the program as part of supporting the patient. Furthermore, the link creates the possibility that the patient may view personal data of his or her treating physician or of employees of the healthcare institution.

Where you make use of a program offered by Curalie GmbH, Curalie GmbH is the controller responsible under data protection law for the processing of your personal data for the purpose of providing the program.

In the case of third-party provider programs, the relevant third-party provider is the controller responsible under data protection law for the processing of your personal data for the purpose of providing the program. If you decide to make use of the program in question, the third-party provider receives the data stored in your user account. The identity and contact information of the third-party provider responsible as the controller in the specific case are stored in the relevant program description.

These data are processed on the basis of statutory provisions that permit data processing because it is necessary in order to provide the Web application and the relevant program to you (point (b) of Article 6(1) GDPR).

3.3 Use data

Use data are also processed every time the Web app is accessed.

This includes but is not limited to the following data:

  • Device’s current language settings
  • Information on the user’s Internet service provider
  • IP (Internet Protocol) address of the device accessing the App
  • Date and time of retrieval
  • User ID on the Curalie platform
  • Session ID number
  • Status report on whether retrieval was successful
  • Referrer URL
  • Operating system, browser data (operating system, interface, browser, language, browser software version)

We erase or anonymize the use data, including the IP addresses, without undue delay as soon as they are no longer needed for the aforementioned purposes.

In addition, the following user data are stored in the login data sets for a maximum of seven days each time a user logs in for purposes of identifying and investigating abuse:

  • Date and time of login
  • User ID on the Curalie platform
  • Internet Protocol (IP) address
  • Pseudonymized user ID
  • However, the foregoing data are not stored together with other personal data.

The data are processed on the basis of statutory provisions that permit the data processing because it is necessary in order to provide the Web application to you in technical terms (point (b) of Article 6(1) GDPR) or because we have a legitimate interest in ensuring the security and functionality of the Web application and the proper use thereof, without there being an overriding interest on the part of the data subject that conflicts with this (point (f) of Article 6(1) GDPR).

Finally, we collect in anonymized form the numbers of times content and videos are accessed in order to be able to analyze the content.

1.4 Local storage

Where you have consented to this, we also store your personal data in your browser’s local storage. This storage serves to simplify repeated access to the website and thus contributes to improved user-friendliness. The data stored for this purpose in the local storage are only accessible to you (via the browser). Third parties and other websites cannot read out these data. These data are not combined with other data.

4 Possible recipients of your data

4.1 Employees of Curalie

The primary recipients of your data are the employees of Curalie GmbH. All employees have undertaken an obligation to maintain confidentiality and the secrecy of your data.

4.2 Law enforcement agencies

If necessary to investigate an unlawful or abusive use of the service or for purposes of asserting rights, personal data are forwarded to law enforcement agencies and, where applicable, to injured third parties. However, this takes place only if and when there are concrete indications of unlawful or abusive behavior. Disclosure may also occur if this serves to enforce terms of use or other agreements. Our legitimate interest in data processing in this case lies in ensuring the proper functioning of our website and the service and, where applicable, establishing, exercising, or defending against legal claims (point (f) of Article 6 (1) GDPR).

We may also be legally obligated to provide information in response to inquiries from certain public bodies. These bodies are law enforcement agencies, government agencies that impose fines for regulatory offenses, and fiscal authorities (point (c) of Article 6(1) GDPR).

4.3 Service providers

To provide the functions of the Internet site as described in this privacy policy, we occasionally rely on third-party companies and external services providers, which may be based outside the EU or the EEA, for example for our customer service or to host our services. In such cases, information is disclosed to these companies or individuals in order to permit them to engage in further processing. We select these external service providers carefully and review them regularly to ensure that your privacy is safeguarded, and they are not permitted to use the data except for the purposes stipulated by us. They moreover undertake a contractual obligation toward us to treat your data exclusively in accordance with this privacy policy and German data protection and privacy laws. Where the matter concerns a body outside the EU or the EEA, we ensure an appropriate level of data protection by entering into corresponding agreements with the relevant body receiving the data, for example.

4.4 Affiliates / corporate transformations

As our business evolves, the structure of our company may change in that we change our legal form or establish, acquire, or sell subsidiaries or parts or elements of our company. In the case of transactions like these, we may disclose your data together with the part of the company that is being transferred. Each time we disclose personal data to third parties within the scope described above, we ensure that this takes place in compliance with this privacy policy and the relevant data protection and privacy laws.

5 Your rights as a data subject

As a data subject whose personal data are being processed, you have the following rights in particular:

  • Right of access to information: You have the right to access information on the personal data concerning you.
  • Right of rectification: You have the right to have inaccurate personal data concerning you rectified or incomplete personal data concerning you completed.
  • Right of erasure: You can also obtain from us the erasure of your personal data, for example if your data are no longer required for the purposes for which they were collected or otherwise processed.
  • Right to restriction of processing: You moreover have the right to obtain from us the restriction of processing of your personal data; in such a case, the data will be blocked from any and all processing. This right applies in particular if there is any dispute between us concerning the accuracy of the personal data.
  • You have the right to withdraw your consent at any time – for example via the contact channels mentioned in Sec. 1 and above – with effect for the future. Should you wish to exercise this right, please note that the lawfulness of data processing that has already occurred is not affected. Additionally, if you withdraw consent, certain features of the Curalie Portal may be unavailable, or you may be unable to use it at all.
  • Right to data portability: Where we process your personal data to perform a contract with you or on the basis of your consent, you also have the right to receive your personal data in a structured, commonly used and machine-readable format to the extent that you have provided the data to us.
  • Right to object: Furthermore, you can object to the processing of data for reasons arising from your particular situation. However, this applies only in cases in which we process data to fulfill a legitimate interest of Curalie or a third party. If you can present that there is such a reason and we cannot assert any compelling legitimate interest in continuing the processing, we will no longer process these data for the purpose in question.

If you wish to assert any of your rights as a data subject with regard to personal data processed under our responsibility as the controller or have any questions regarding data protection and/or privacy within our organization, you can contact us using the contact channels mentioned in Sec. 1 and above. After your inquiry has been answered conclusively, we will erase your inquiry three years after the end of the relevant calendar year.

In the event that you wish to assert your rights as a data subject toward third-party providers, you can contact them at the contact addresses contained in the relevant program description at any time to do so.

Finally, you have the right to lodge a complaint with a data protection supervisory authority concerning our processing of personal data. The supervisory authority with jurisdiction over Curalie is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin, phone: 030 13889-0

6 Duration of storage of data

Unless otherwise described in this privacy policy, we erase personal data in principle when the purpose for storage thereof no longer applies. There may be an ongoing purpose, in particular, if the data are still needed in order to provide contractual services or to be able to review and abide by or defend against warranty and, where applicable, guarantee claims. Subject to statutory or contractual obligations of retention, we erase data processed on the basis of consent in principle as soon as you withdraw consent. We check at regular intervals whether the purpose of storage has ceased to apply or retention remains necessary.

In the case of statutory retention obligations, which may apply for a period of ten to 30 years in the case of health data, erasure does not enter into consideration until after the relevant retention period has elapsed. Should erasure not be permissible based on statutory retention obligations, we restrict the processing thereof to mere archiving of these data sets.

7 Updates

We reserve the right to adjust the content of this privacy policy at any time. This typically occurs when the services used are further developed or adjusted.