Privacy policy for our application
We are pleased about your use of the Climedo software (web application) of Climedo Health GmbH
(hereinafter: “Climedo”). The protection of your data is particularly important to us, which is why we
always comply with the applicable legal provisions on the protection of personal data and data
security. Likewise, our employees have each been extensively trained and committed to confidentiality and compliance with all data protection regulations. You can find out exactly how your data is collected and for what purpose it is processed by us in the following data privacy policy.
We would like to point out that the following data privacy information relates exclusively to the product
“Climedo Software”. The websites located in the password-protected area are operated by Climedo Health GmbH as a processor under the responsibility of the respective customer (Data Controller).
The data processor within the meaning of Art. 4 GDPR or processor within the meaning of Art. 28 GDPR is:
Climedo Health GmbH
Schillerstraße 23a
80336 Munich
Germany
Telephone: +49 89 32209394 0
Email: info[at]climedo.de
Represented by the managing directors: Dragan Mileski, Sascha Ritz
If you have any questions about data protection or would like information about the collection, processing or use of your personal data, as well as requests to correct or delete your personal data, please contact us at the above address or the following email address: datenschutz[at]climedo.de.
Our data protection officer is Schmalzer mind+engineering GbR.
Personal data in the sense of the GDPR is all information with which a natural person can be identified or becomes identifiable. This includes in particular your name and your email address that you provide to us (e.g., in the context of registering as a user of the web application or in the context of support requests).
Various categories of personal data are processed in the course of providing and using the Climedo web application. These include data for the technical provision of the web application in your browser as well as data on the use of the web application in order to secure it, to develop it further technically and to provide technical support if required. These processing operations are described in more detail below:
When you call up our web application, so-called “cookies” (small text files) are stored by your browser and your IP address is processed. This is used to enable you to enter data on the web interface and manage study data via our cloud platform.
Cookies can be used for different purposes, e.g., to recognize that your PC has already had a connection to our web application (persistent cookies) or to enable you to use the web application and remain logged in until the user logs out or closes the browser (session cookies).
In order to be able to display the web application to you and allow you to move around within the web application, we use a so-called session cookie.
According to your browser settings regarding the use of cookies, the functionality of our web application may be affected. It is possible that certain functions or areas will not be displayed to you.
The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-contractual measures according to Art. 6 para. 1 sec. 1 lit. b) GDPR.
Integration of wearables (optional service)
The Climedo software makes it possible to integrate digital recording devices (“wearables”) in order to
visualise the physical data, such as the number of daily steps, of patients (anonymised). Climedo assumes no liability or guarantee for the accuracy of the data or devices. Climedo will only retrieve the
data via an interface to the WITHINGS servers and make the data available for visualisation in the web portal. For this purpose, we have concluded an order processing contract with WITHINGS, 2 rue Maurice Hartmann, 92130 Issy-les-Moulineaux, France. The processing of personal data exclusively within the EU is therefore contractually agreed. When booking this option, we pass on the rights and obligations arising from this DPA to the customer as the data controller.
The legal basis for this data processing by Climedo is the fulfillment of a contract or the implementation of pre-contractual measures pursuant to Art. 6 para. 1 subpara. 1 lit. b) and for the fulfillment of legal obligations on the part of the controller pursuant to Art. 6 para. 1 subpara. 1 lit. c) GDPR.
Integration of signature services/ “eConsent” (optional service)
The Climedo software makes it possible to integrate the “eConsent” eIDAS-compliant into the workflow
in order to digitise and decentralise the process. Climedo assumes no liability or guarantee for the
functionality of the service. For this purpose, we have concluded an order processing contract with
Yousign, YOUSIGN SAS, RUE DE SUÈDE AVENUE PIERRE BERTHELOT, 14000 CAEN, FRANCE.
The processing of personal data exclusively within the EU (France) is therefore contractually agreed.
When booking this option, we pass on the rights and obligations arising from this DPA to the customer
as the data controller.
The legal basis for this data processing by Climedo is the fulfilment of a contract or the implementation
of pre-contractual measures pursuant to Art. 6 para. 1 subpara. 1 lit. b) and for the fulfilment of legal
obligations on the part of the controller pursuant to Art. 6 para. 1 subpara. 1 lit. c) GDPR.
We use a server backend on AWS (Amazon Web Services) for our platform.
This enables us to provide an efficient and secure way to collect and document all data relevant to
your study purposes for research into the safety, effectiveness and tolerability of medical procedures,
medications and therapies. The AWS environment serves as the central processing location for the
study data collected via the web frontend (browser). The backend provides the resources to deliver a
secure and user-friendly system for evidence-based clinical research, including automated plausibility
and validation checks during data entry. The backend can also be used to manage study participants,
research staff and contact management for data collection.
For this purpose, we have concluded a contract processing agreement with Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg, including the current standard contractual clauses of the EU Commission (EU-SCC). The processing of personal data exclusively within the EU is contractually agreed and limited to the AWS Frankfurt region.
As further measures for the protection of personal data, we have implemented encryption solutions
and monitoring of the integrity of the cloud environment by means of the AWS CloudHSM in accordance with the recommendation of the European Data Protection Board (EDPB), “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”, which effectively prevents access to the personal data and/or the key material. Unauthorized access by a US security authority, by AWS or a hacker attack on the cloud infrastructure as well as a transfer to an insecure third country can thus be virtually ruled out. The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-contractual measures in accordance with Art. 6 para. 1 sec. 1 lit. b) GDPR.
A user account must be created in order to use the web application. For this purpose, we process your personal data to enable you to use the application and to provide a user-related login.
To create a user account, we process your name and your business email address. If you delete your user account or it is deleted for other reasons, your personal data will also be deleted, provided that no legal retention periods prevent deletion.
The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-contractual measures in accordance with Art. 6 (1) sec. 1 lit. b) GDPR.
The personal data of the study participants processed as part of your research is processed on our platform and made available to you. The web application allows you to manage the collection and analysis of the research data and to automatically send study participants links via email or SMS to your questionnaires for data collection.
The data processing is carried out by us within the framework of the data processing relationship according to Art. 28 GDPR.
As part of the implemented technical security measures, we process certain data to log data connections and access requests to the web application.
In the first step, the IP address used to establish a data connection from your end device to our cloud
provider is examined on the basis of security criteria and the connection request is logged. This serves to protect the web application from unauthorized access or cyber-attacks and enables the tracking of connection attempts or the prevention of data connections originating from known servers used by hackers. Your IP address and the time and duration of the data connection are stored by our cloud provider in so-called log files.
The stored logs of the data connections to the web application are deleted after 90 days. For this purpose, the IP address of the user is removed or alienated so that an assignment of an end device is
no longer possible for our cloud provider and the data contained no longer have any personal reference.
The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-
contractual measures pursuant to Art. 6 para. 1 sec. 1 lit. b) GDPR as well as our legitimate interest in protecting and securing our service pursuant to Art. 6 para. 1 sec. 1 lit. f) GDPR.
In the second step, your access is logged and your login data, your access period (time of login and time of logout) as well as the entries and changes you have made are stored in the web application. This serves to trace changes made to ensure data integrity and to be able to provide you with technical support, if necessary.
Logs of accesses and data entries or changes within the web application are retained until the end of the contract to ensure data integrity and to ensure the resilience and validity of the data in the sense of the research.
The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-contractual measures according to Art. 6 para. 1 sec. 1 lit. b) GDPR.
Climedo uses the email address provided during registration for the purpose of sending notifications about product-related information such as updates, changes to the General Terms of Use, any malfunctions and comparable information.
The legal basis for sending product-related information is the fulfillment of the contract according to Art. 6 para. 1 sec. 1 lit. b) GDPR.
In addition, Climedo may send product-related information within the meaning of § 7 section (3) UWG to the email address provided during registration.
You can object to the sending of such product-related information at any time by calling up the link contained in the respective email.
The legal basis for sending this product-related information is our legitimate interest in publicizing our similar products or services pursuant to Art. 6 para. 1 sec. 1 lit. f) in conjunction with. § Section 7 (3) UWG.
In order to ensure that performance always meets user requirements and to optimize the web application, Climedo may conduct user surveys and collect feedback in anonymous or pseudonymous form. For this purpose, we collect and process information, which may also include personal data.
The legal basis for this data processing is our legitimate interest in the optimization and further development of our service pursuant to Art. 6 para. 1 sec. 1 lit. f) GDPR in combination with § 7 section (3) UWG.
For user surveys that are not based on anonymized or pseudonymized data, e.g. in order to be able to contact you regarding your feedback, Climedo will obtain your consent in advance pursuant to Art. 6 para. 1 sec. 1 lit. a) GDPR.
As part of our business operations and to process support requests, we use Google Workspace for email communication and video support, among other things. For this purpose, we have concluded a data processing agreement with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, including the current standard contractual clauses of the EU Commission (EU SCC). Processing of personal data exclusively within the EU is contractually agreed.
If you contact us by email, we process your name, your contact details including your email address,
and the information you have otherwise provided. This data is stored and used exclusively for the purpose of responding to your request or for contacting you and the associated technical administration.
We use Gmail as our email provider. We use it to receive and send all emails in the course of communicating with customers and conducting business.
In case you contact us via the given support email address, your data (name, incl. email address) will be processed by Freshdesk in order to create a “ticket”, which Climedo will subsequently work on. For more information on Freshdesk, refer to chapter C.3.
We use the Google Meet service for video conferences. We use it for online communication with customers as well as for internal communication within our company.
In Google Meet, various data of the participants in the conversation are collected and stored. This includes IP addresses, email addresses and device names. In addition, conversation content such as sent files and chat histories are stored by Google.
Meetings with our customers via Google Meet are generally not recorded unless this is done for a legitimate purpose as well as on the basis of a separate agreement.
Nevertheless, we would like to point out that it cannot be completely ruled out that personal data may be transferred to the USA or that US security authorities may gain access to it.
All data that you provide to us in the context of a support request or in the context of video support, as
well as your email and IP address and other data that is absolutely necessary for sending and receiving mail, is stored on Google’s servers in the European Economic Area.
The legal basis for data processing via Google Workspace is the fulfillment of a contract or the implementation of pre-contractual measures pursuant to Art. 6 para. 1 sec. 1 lit. b) GDPR or our legitimate interest in the smooth internal processing of our business operations pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR.
Your data will only be stored for as long as is necessary for the above-mentioned purpose. The stored data will be deleted after the purpose of processing has ceased to apply and in accordance with the statutory retention periods.
You can find Google’s privacy policy and terms of use here:
https://policies.google.com/privacy
https://policies.google.com/terms?hl=de
You can view information on Google Workspace IT security here:
https://workspace.google.com/intl/de/security/
We also collect information about your use of the web application in order to further develop and optimize it and to be able to provide you with support.
If contractually agreed, we use Google Analytics, a web analytics service provided by Google LLC, as part of the maintenance, improvement and optimization of our web application (SaaS). The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google Analytics uses cookies that enable your use of our web application to be analyzed. The information about your user behavior collected by the cookies is transmitted to a Climedo server. In
the course of this processing, we remove your IP address and all other identifying information before
the data is transferred to Google (“server-side tracking”). Only in exceptional cases will the data be
transferred to a Google server in the USA before processing. Google will use this information on our
behalf to evaluate your pseudonymized usage data of the application and to compile reports on your
activities. We use the reports provided by Google Analytics to analyze the quality and functionality of
our web application. This enables us to provide you with improvements and optimizations based on this data, as well as to comply with the legal requirements regarding IT security and to ensure the functionality and quality of the application during ongoing use.
During your use of the web application, the following data is collected, among others:
The pages you access within the web application and external links, your “click path”
Your user behavior (e.g. clicks, length of stay)
Your approximate location (region)
Your IP address (in abbreviated form)
Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
Your internet provider
The referrer URL (via which website you accessed the web application)
For the purpose of processing, we have concluded a data processing agreement with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, incorporating the current standard contractual clauses of the EU Commission (EU-SCC).
We would like to point out that it cannot be ruled out that personal data will be transferred to the USA and that Google LLC, as an American company, or that US security authorities may gain access to this data. We would like to point out that Google may be able to establish a connection to a Google account if the user is logged into the web application and his Google account at the same time.
The legal basis for this data processing is our legitimate interest in the further development and
optimization of our web application within the meaning of Art. 6 para. 1 subpara. 1 lit. f) GDPR as well
as compliance with legal requirements regarding security, functionality and quality pursuant to Art. 6
para. 1 subpara. 1 lit. c) GDPR in conjunction with Directive (EU) 2019/770 as well as §535 p. 1 BGB
and §434 p. 1 No. 1 BGB.
You can find more information on the terms of use of Google Analytics and on data protection at Google at:
https://marketingplatform.google.com/about/analytics/terms/de
https://policies.google.com/?hl=de
As part of our business operations, we use Google Workspace, among other things, to handle business processes and to provide you with operating instructions as well as the user manual for our software and training videos as part of our web application via Google Drive.
For this purpose, we have concluded a data processing agreement with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, incorporating the current standard contractual clauses of the EU Commission (EU SCC). The processing of personal data exclusively within the EU is contractually agreed.
We would like to point out that it cannot be definitively ruled out that personal data will be transferred to the USA and that Google LLC, as an American company, or US security authorities will gain access to it. Furthermore, we would like to point out that Google may be able to establish a connection to a Google account if the user is logged into his Google account at the same time.
The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-
contractual measures in accordance with Art. 6 para. 1 sec. 1 lit. b) GDPR.
You can find Google’s privacy policy and terms of use here:
https://policies.google.com/privacy
https://policies.google.com/terms?hl=de
You can find information about Google workspaces’ IT safety here:
https://workspace.google.com/intl/de/security/
In order to be able to provide you with further support and help for using the application, we are continuously building up a database, the “Knowledge Base”, and integrate it into our web application
as an external link. If you follow the link, you will be redirected to our Knowledge Base. We provide the Knowledge Base via the service provider Freshdesk (affiliated company of Freshworks).
When using the Knowledge Base, your IP address is transmitted to Freshdesk.
We have concluded a data processing agreement with Freshworks, Inc., 2950 S. Delaware Street,
Suite 201, San Mateo, CA 94403, incorporating the current standard contractual clauses of the EU
Commission (EU-SCC).
The legal basis for the use of Freshdesk is the fulfillment of a contract pursuant to Art. 6 (1) sec. 1 lit. b) GDPR. The Privacy policy of Freshdesk can be found here:
https://www.freshworks.com/privacy/
You have various rights under the GDPR, which arise in particular from Art. 15 to 18, 20, 21 GDPR:
You can request information pursuant to Art. 15 of the GDPR about your personal data processed by us. In your request for information, you should specify your request in order to make it easier for us to compile the necessary data. Please note that your right to information may be restricted under certain
circumstances in accordance with the statutory provisions (in particular Section 34 BDSG).
If the information concerning you is not (or no longer) correct or incomplete, you may request that it be corrected or completed in accordance with Art. 16 GDPR.
You can request the deletion of your personal data under the conditions of Art. 17 GDPR. However, your right to be forgotten depends, among other things, on whether the data concerning you is still needed by us to fulfill our legal obligations.
Within the framework of the requirements of Art. 18 GDPR, you have the right to request a restriction of the processing of the data concerning you.
Pursuant to Article 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance, provided that the processing is based on your consent or on a contract between you and us and the processing was carried out with the help of automated procedures. Where applicable, you also have the right to have
the data transferred directly from us to another controller, insofar as this is technically feasible.
PURSUANT TO ART. 21 GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF PERSONAL DATA RELATING TO YOU, WHERE THE PROCESSING IS CARRIED OUT ON THE BASIS OF ARTICLE 6(1) UAS. 1 SEC. 1 LIT. E) OR F). WE WILL NO LONGER PROCESS THE PERSONAL DATA UNLESS WE ARE LEGALLY OBLIGED TO DO SO.
IF PERSONAL DATA ARE PROCESSED FOR DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING FOR THE PURPOSE OF SUCH MARKETING. THE PERSONAL DATA WILL THEN NO LONGER BE PROCESSED FOR THIS PURPOSE.
If you have given your consent to the use of data, you can revoke this at any time with effect for the future. You can change or revoke your consent to the storage of cookies at any time via the settings in
the cookie banner on our website. Alternatively, you can delete the cookies in your browser. If you call
up our website again or reload it after deleting the cookies, you will be asked anew, whether or to
what extent you wish to consent to the processing of your personal data.
If you wish to exercise your rights as described above or if you have any questions regarding data protection, please contact us by email at datenschutz[at]climedo.de or in writing at our postal address.
In any case, you have the right to lodge a complaint with a competent supervisory authority.
Climedo reserves the right to make changes to the privacy policy at any time with effect for the future. When such an update is made, the date of the last change mentioned below will also be updated. Any changes made to our privacy policy will always be available at this location so that Climedo users will always be aware of the information we collect and how we may use and disclose it. We therefore recommend that you regularly inform yourself by means of checking the current data privacy policy.
This privacy policy was translated from the German version for your convenience. The German version is binding/ shall prevail in any conflict scenarios.
Privacy Policy (Software) | Version 3.0 | Status: 01.07.2024