Privacy policy of Oska Health Medical

The controller takes the protection of your personal data seriously and therefore complies with the applicable data protection laws. With this data protection declaration, the data controller fulfils its information obligations under Art. 12 et seq. of the German data protection Regulation (hereinafter "DSGVO ") and informs you about the details of the processing of your data as well as your legal rights in this respect.


This data protection declaration applies to the use of the website of the controller, which can be accessed at https://www.oska-health.com and any associated sub-domains. For the services offered by the responsible party within the framework of the Oska app, the data protection declaration stored there applies in conjunction with the general terms of use of the responsible party.


The responsible party reserves the right to adapt this data protection declaration with effect for the future, in particular in order to react to changes in the law or changes in jurisdiction as well as technical developments.

Definitions

  • Pursuant to Art. 4 No. 7 of the DSGVO, the "controller" is the person who decides on the purposes and means of the processing of personal data. Above all, he determines what, how and for what purpose the data are processed. He is responsible for the processing and must ensure that the data protection regulations are complied with.
  • Pursuant to Art. 4 No. 8 of the DSGVO, a "processor" is a person who acts on behalf of the controller and processes personal data on the controller's behalf.
  • Pursuant to Art. 4 No. 1 of the DSGVO, "personal data" means all information that can be directly or indirectly attributed to an identifiable natural person (data subject).
  • According to Art. 4 No. 2 of the DSGVO, "processing" means all possible types of data processing. This includes, in particular, the collection, recording, organisation, arrangement, storage, adaptation, modification, reading out, interrogation, use, disclosure, transmission, dissemination, linking, restriction, erasure or destruction of personal data.
  • Pursuant to Art. 4 No. 1 of the DSGVO, "data subject" means the natural person to whom the data processed by the controller can be directly or indirectly attributed.
  • Pursuant to Art. 4 No. 9 DSGVO, a "recipient” is the person to whom personal data are disclosed, irrespective of whether it is a third party or not.
  • Pursuant to Article 4(10) of the DSGVO, a "third party" is anyone other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor.
  • Special categories of personal data" are, in accordance with Article 9(1) of the DSGVO, in particular also health data of the data subject. These data require a higher level of protection.
  • Pursuant to Art. 4 No. 15 of the DSGVO, "health data" means personal data relating to the physical or mental health of the data subject and revealing information about the health status of the data subject.
  • Consent" means, in accordance with Article 4(11) of the DSGVO, any freely given, specific, informed and unambiguous indication of the data subject's wishes in the form of a statement or other unambiguous affirmative act (e.g. ticking a checkbox) by which the data subject signifies his or her agreement to the processing of his or her personal data.

Information on the responsible party

Responsible for the data processing within the scope of the service offer in the sense of Art. 4 No.7 DSGVO is as provider of the service offer the


Oska Health Medical GmbH

Habichtweg 5

40670 Meerbusch

Germany


represented by the management.

Questions about data protection

Should you have any questions regarding the processing of your data by the data controller within the scope of the range of services offered as well as regarding the exercise of your data subject rights within the meaning of the DSGVO, you can contact the data controller or its data protection officer at any time by telephone at +49 69 348 666 999 or by e-mail at dataprotection@oska-health.com.


Please note that in the event of an assertion of data subject rights (e.g. request for information), the data controller must first ensure your identity by means of a procedure suitable for this purpose.


The data protection officer appointed by the responsible party is:


Philip Kopf, Dipl.-Jur.

QuR.digital GmbH

Große Elbstraße 42

22767 Hamburg


Tel.: +49 (40) 3252 4552


E-mail: dataprotection@oska-health.com

Notes on data security

To ensure the best possible protection of your personal data, Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption is used for data transmission. This encryption ensures that the data you transmit within the framework of the website cannot be read, diverted or changed by unauthorised third parties during transmission.


Insofar as your data is stored by the responsible party, this storage takes place exclusively in appropriately security-certified data centres within the European Union (EU) within the scope of the GDPR. The data controller expressly reserves the right to involve external service providers (so-called order processors) for the storage and processing of your data, who will, however, act exclusively on behalf of and in accordance with the instructions of the data controller. The processors used by the controller are contractually obliged to take such technical and organisational measures (TOMs) that are suitable according to the current state of the art to ensure data protection and data security compliant processing of your data.


In no case will the data controller or a processor used by the data controller pass on or sell your data to third parties without a legal basis.

Data transfer to third-party countries

The controller may use service providers as processors that have their registered office in a third country or are part of an international organisation that has its registered office in a third country. In the context of the GDPR, a third country is a country that is not a member of the European Union (EU) or the European Economic Area (EEA) and therefore does not fall under the regulatory influence of the GDPR. What these third countries have in common is that they sometimes have their own data protection law, the content of which may, however, be below the level of protection provided by the GDPR. Against this background, Art. 44 GDPR stipulates that the transfer of data to third countries is only permitted under certain legal conditions.

As a rule, the permissibility of data transfer to third countries is based on an adequacy decision between the EU Commission and the third country concerned in accordance with Art. 45 GDPR. The existence of an adequacy decision indicates that the data protection law applicable in the third country in question provides a level of protection for your personal data that is comparable to the GDPR. If no such adequacy decision exists, data transfer pursuant to Art. 46 (2) (c) GDPR is alternatively based on the conclusion of a contract between the controller and the relevant service provider on the basis of the standard contractual clauses issued by the EU Commission. standard contractual clauses issued by the EU Commission. These contractual clauses provide a sufficient guarantee on the part of the respective service provider also with regard to the enforceability of the rights of data subjects provided for by the GDPR.

You will be expressly informed by us in this privacy policy if a service provider has such a third country connection. In this case, by giving your consent, you agree that your personal data may be transferred to such a company.

Your data subject rights

As a data subject within the meaning of Art. 4 No.1 DSGVO, you are entitled to certain indispensable rights (data subject rights) under the DSGVO. Accordingly, you have the right

  • to request information on which of your personal data the data controller has stored, in accordance with Art. 15 DSGVO;
  • in accordance with Art. 16 of the DSGVO, to demand the correction or completion of the data that the controller has stored about you without delay;
  • in accordance with Article 17 of the DSGVO, to request the deletion of the data which the controller has stored about you, unless this is prevented by Article 17(3) of the DSGVO;
  • in accordance with Article 18 of the Regulation, to request the restriction of the processing of the data which the controller has stored about you, provided that the conditions of Article 18(1)(a)-(d) of the Regulation apply;
  • in accordance with Article 20 of the DSGVO, to request the transfer of the data that the controller has stored from you in a structured, common and machine-readable format without any obstacles;
  • object to the processing of your data in accordance with Article 21 DSGVO, provided that it is processed by the controller on the legal basis of Article 6(1)(f) DSGVO ("legitimate interest") and your objection arises from a specific situation or is directed against direct marketing. In the latter case, you may also object to the processing without any reason;
  • in accordance with Art. 7(3) of the DSGVO, withdraw your consent to the processing of your personal data at any time with effect for the future;
  • lodge a complaint with the competent supervisory authority pursuant to Art. 77 DSGVO.

You can exercise your data subject rights by notifying the controller at the contact details above. The controller reserves the right to ensure your identity through a procedure suitable for this purpose before responding to your request.

Website access and access data

As soon as you call up the website of the person responsible, the end device used by you automatically transmits access data (so-called log files) to the hosting provider of the website. These log files contain, among other things, personal data.


Processed data

  • IP address
  • Date and time of the request
  • Time zone
  • Content of the request
  • Access status/http status code
  • Amount of data transferred
  • Content from which the request came (referrer URL)
  • Operating system of the end device
  • Version of the app

Purpose of processing

The log files are absolutely necessary to ensure the technical functionality of the website. In particular, the transmission of your IP address is necessary to enable the website to be displayed on the end device you are using. The data stored as part of the log files are neither merged with other data sources nor used to identify individual users. In particular, no evaluation of the collected data for marketing purposes takes place.


Lawfulness of the processing

The data controller bases the lawfulness of this data processing on Art. 6 (1) (f) DSGVO. The "legitimate interest" required for this follows from the desire to provide you with a secure and trouble-free user experience of the website.


Recipient of the data

The recipient of your personal data within the meaning of Art. 4 No. 9 DSGVO is the hosting provider of the website, Vercel. In this context, Vercel acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to establish and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


In this context, please note that Vercel Inc. has its registered office in the USA. Data transfer to the USA is not planned in principle, but cannot be conclusively ruled out. In this respect, the information on data transfer to third countries applies.


Duration of storage

The log files are automatically deleted after 14 days at the latest or alienated in such a way that an assignment to you is no longer possible.


Note on your data subject rights

You have the right to object to this processing at any time in accordance with Art. 21 DSGVO, on grounds relating to your particular situation. Unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or the processing serves the purpose of asserting, exercising or defending legal claims, the controller shall cease processing.

Cookie usage

In addition to the aforementioned access data (log files), cookies may also be used on the website. These are small text files that are automatically saved by the browser you are using and stored on the terminal device you are using. Cookies do not contain viruses, Trojans or other malware that could cause damage to the end device you are using.


Please note in this context that the use of certain cookies may be necessary for technical reasons (e.g. to enable the website to be displayed on your terminal device). These "technically necessary cookies" are to be distinguished from cookies whose use serves other purposes (e.g. analysis of user behaviour). These are "technically non-essential cookies".


In the following, only the processing in the context of the use of technically necessary cookies will be dealt with initially. Insofar as the controller should use technically non-essential cookies within the framework of the website platform for the purpose of usage analysis, you will be informed about this in separate sections of this data protection declaration. If you do not find any information on this, this means that no corresponding services and therefore no technically non-essential cookies are used.


Data processed:

  • Form data (e.g. log-in information)
  • Language settings
  • History data (e.g. search terms entered)


Purposes of processing:

The cookies used by the controller enable the controller to recognise that you have already visited individual areas or pages of the website and ensure that you do not have to make certain entries and settings again that you have already made within the framework of the website.


Legal basis of processing:

The data controller bases the lawfulness of this data processing on Art. 6 (1) (a) DSGVO. You give your consent within the framework of a cookie banner, which is displayed to you when you first access the website.


Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 DSGVO is the hosting provider of the website, Vercel. In this context, Vercel acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to set up and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


The controller also uses the Usercentrics Consent Management Tool to manage your consent. In this context, Usercentrics also acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to set up and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


The controller uses Builder.io to set up and manage the website. Although Builder.io does not act as a processor for the controller in this context, it uses a pixel to collect the number of hits per website. In this respect, we refer to Builder.io's privacy policy, which can be accessed at https://builder.io/docs/privacy.

Please note in this context that Builder.io Inc. has its registered office in the USA. Data transfer to the USA is generally not intended, but cannot be conclusively ruled out. In this respect, the information on data transfer to third countries applies.


Storage period

The cookies used are either deleted immediately when you end your visit to the website or only automatically after a fixed period of time that cannot be determined by the controller.


Note on your data subject rights:

In accordance with Art. 7 (3) DSGVO, you may revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation.



You can also prevent the use of cookies by deactivating or gradually restricting the automatic setting of cookies in the settings of the browser you use. Cookies already stored on the terminal device you are using can also be deleted manually by you in this context. Please note, however, that the partial or complete deactivation of cookies in the settings of your browser may mean that you can no longer use the website or can no longer use it to its full extent.

Transfer of data to third parties

The data controller will only pass on your data to third parties within the meaning of Art. 4 No.10 DSGVO if

  • you have given your express consent to the disclosure in accordance with Art. 6(1)(a) DSGVO;
  • the disclosure is necessary in accordance with Art. 6(1)(b) DSGVO for the initiation or performance of a contract between you and the controller;
  • the controller is legally obliged to disclose in accordance with Art. 6(1)(c) DSGVO;
  • the disclosure is necessary in accordance with Art. 6(1)(f) DSGVO on the basis of the "legitimate interest" of the controller for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest requiring protection in not having your data disclosed.


Contact with the responsible person

You have the possibility to contact the controller from the website (e.g. by e-mail); for example, to request a demo version of Oska. The processing of your request requires the controller to process the personal data you provide in connection with the request.


Data processed

- First name, last name

- Date and time of your request

- E-mail address

- Content of your request

- Purpose of processing


The data you provide when contacting us will be processed by the data controller for the sole purpose of handling and responding to your request.


Legality of processing

The controller bases the lawfulness of this data processing on Art. 6(1)(a) DSGVO. You give your consent by actively sending your message (e.g. by e-mail) to the controller. Furthermore, the controller bases the lawfulness of this data processing on Art. 6 (1) (b) DSGVO, insofar as your contact is made for the purpose of requesting a demo version of Oska, as in this case the contact is made for the purpose of initiating a contract of use between you and the controller.


Recipient of the data

The recipient of your personal data within the meaning of Art. 4 No. 9 DSGVO is the hosting provider of the e-mail and mail exchange software, Google Workspace. In this context, Google Workspace acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to set up and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


In this context, please note that Google Inc. has its registered office in the USA. Data transfer to the USA is not planned in principle, but cannot be conclusively ruled out. In this respect, the information on data transfer to third countries applies.


Furthermore, the Zapier service is used by the controller to forward your message. In this context, Zapier also acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to set up and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


Please note in this context that Zapier Inc. has its registered office in the USA. Data transfer to the USA is generally not intended, but cannot be conclusively ruled out. In this respect, the information on data transfer to third countries applies.


The controller uses the sipgate service to process telephone enquiries. In this context, sipgate also acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to set up and maintain suitable technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


Storage period

The data processed will be stored by the data controller only for as long as is necessary to process and respond to your request. Subsequently, the data will be deleted by the responsible party, provided that the deletion does not conflict with any statutory retention obligations.

Contacting the coach, data transfer

You have the option of voluntarily requesting contact with a coach from the website. Contact can be made by telephone or via a virtual meeting (video call), depending on your preference. In order to process your enquiry, it is necessary for the controller to process the personal data provided by you as part of the enquiry. If necessary, the controller reserves the right to send your data to a specialised doctor. Personal data will only be collected and processed in this context if you actively consent to the further processing of your personal data.


Processed data:

  • First name, surname
  • telephone number
  • E-mail address
  • Calendar information
  • Name of the insurance company
  • Date and time of potential medical appointments


Purposes of the processing:

The controller collects data with the aim of offering you the opportunity to contact a coach. In addition, this information is used to facilitate the coordination of contact with a doctor and to ensure effective care and follow-up after forwarding to the doctor.


Legal basis:

The lawfulness of this data processing is based on Article 9(2)(a) GDPR. You give your consent by ticking a checkbox provided for this purpose after you have completed the questionnaire to determine your personal risk score on the website.


Recipients of the data:

The recipients of your personal data within the meaning of Art. 4 No. 9 GDPR are the online appointment booking service Calendly, the automation tool Zapier, Google Workspace and Amazon Web Services (AWS). In this context, these services act as processors within the meaning of Art. 4 No. 8 GDPR for the controller and have been obliged by the controller to set up and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of data processing agreements (DPAs).

In this context, please note that Calendly LLC and Zapier Inc. have their registered office in the USA. Data transfer to the USA is generally not intended, but cannot be conclusively ruled out. In this respect, the information on data transfer to third countries applies.

Other recipients of your data within the meaning of Art. 4 No. 9 GDPR are, if you have given us your express consent in accordance with Art. 9 para. 2 lit. a GDPR, your attending physician. We will forward the necessary data to them so that they can arrange an appointment with you. In return, we expressly do not receive any data back from your attending physician.


Storage period:

Personal data will be retained for the period necessary to fulfil the stated purpose. This includes the storage of information on medical appointments to enable appropriate follow-up and contact. Subsequently, the data will be deleted by the controller, provided that the deletion does not conflict with any statutory retention obligations.


Truthful information:

The provision of truthful and up-to-date information is crucial for effective support. In the event of incorrect or incomplete information, the controller reserves the right to reject your enquiry or delete your data.

Usage analysis using PostHog

The controller uses the PostHog service to analyse user behaviour on the website. This is a service that enables the collection and analysis of anonymised usage data. This requires the processing of personal data.


Processed data:

  • IP address,
  • Browser type/version,
  • Operating system of the end device,
  • Website from which the request comes (so-called referrer URL),
  • Content of the request (specific page of the platform),
  • Date and time of the request,
  • time zone,
  • Access status/http status code,
  • Volume of data transferred and usage data (e.g. time spent on pages, click rate, scrolling behaviour).


Purposes of the processing:

The processing of the aforementioned data enables the controller to analyse the use of the website and thus determine where there is still a need for improvement within the website. This follows not least from the controller's desire to adapt the website and the services offered to the needs of users in the best possible way.


Legal basis:

The lawfulness of this data processing is based on Article 6(1)(a) DSGVO. You give your consent by agreeing to the use of PostHog in the cookie banner when you first access the website (or at a later point in time).


Recipient of the data:

The recipient of your personal data within the meaning of Art. 4 No. 9 DSGVO is the provider of the usage analysis service, PostHog. In this context, PostHog acts as a processor within the meaning of Art. 4 No. 8 DSGVO for the controller and has been obliged by the controller to set up and maintain appropriate technical and organisational measures (TOMs) to protect your personal data on the basis of an order processing contract (AV contract).


Please note in this context that PostHog Inc. has its registered office in the USA. Data transfer to the USA is generally not intended, but cannot be conclusively ruled out. In this respect, the information on data transfer to third countries applies. However, we explicitly use the hosting option in the EU.


Storage period:

Although your personal data is processed exclusively in anonymised form after collection and it is therefore no longer possible to assign this data to you personally at a later date, the controller has decided to limit the storage period for this data to 14 months. At the end of the 14 months, the usage data stored by PostHog will be automatically deleted.

Integration of third-party content

Under certain circumstances, third-party content, such as videos or graphics, may be integrated into the application. The integration of these contents requires that the providers of these (third-party providers) perceive your IP address, as the contents cannot otherwise be displayed within the scope of the application.


The responsible party endeavours to only use content from third-party providers who use your IP address solely for the purpose of delivering the content. However, the responsible party has no influence on whether third-party providers process your IP address for other purposes, such as statistical analyses. If the responsible party becomes aware of such a procedure, you will be informed within the scope of this data protection declaration.


Activities of Oska Health GmbH

Oska Health GmbH is responsible for software development, the provision of health advisors and the further development of the product on behalf of Oska Health Medical GmbH.

Oska Health Medical GmbH is a wholly owned subsidiary of Oska Health Gmbh. A corresponding order processing agreement has been concluded.

Contractors

  • Amazon Web Services (AWS), Amazon Web Services Emea Sàrl, 38, avenue John F. Kennedy, L-1855 Luxembourg
  • Google Workspace, Google Ireland Limited (Google), Gordon House, Barrow Street Dublin 4, Irland
  • Builder.io, Builder.io Inc., 1501 Filbert Street, 7B, San Francisco, CA, 94123
  • Vercel, Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA
  • Posthog, PostHog Inc., 2261 Market Street Unit 4008 San Francisco, CA 94114, USA
  • Zapier, Zapier Inc., 548 Market St. #62411. San Francisco, CA 94104-5401, USA
  • sipgate, sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf
  • Usercentrics, Usercentrics GmbH, Sendlinger Str. 7, 80331 München
  • Calendly, Calendly LLC., 115 E. Main Street, Suite A1B, Buford, GA, 30518, USA