The NeuroNation MED application is a mobile application of a computer-based cognitive training, which is based on playful exercises of various cognitive functions (Multi-Domain Cognitive Training). For the training of these abilities, a wide variety of individually adapted tasks and functions for research progress control are available within the application. The application is designed to alleviate the symptoms of patients with mild or moderate cognitive disorders. The NeuroNation MED application is a class I medical device according to the Medical Devices Regulation (EU) 92/42/EEC and the Medical Devices Act.
This document explains the type, purpose and scope of data collection in connection with the use of our products.
We point out that data transmission on the Internet can have security gaps. Complete protection of data against access by third parties is not possible. Please also ensure that only you have access to your end device and use trusted networks. Security problems that could otherwise arise cannot be fully addressed by us.
The responsible party for data processing in the context of this PRODUCT is:
10117 Berlin, Germany
"Responsible party" is the party that collects, processes or uses personal data (e.g. names, email addresses etc.).
Data protection contact
You can reach out to our data protection contact at:
10117 Berlin, Germany
General information on data retention for personal data
Legal basis for the storage of personal data
This PRODUCT uses SSL or TLS encryption for reasons of security and to protect the transmission of confidential content, such as the requests you send to us as the operator, or communication between users. This encryption prevents the data you transmit from being read by unauthorized third parties.
We reserve the right to change these data protection regulations at any time in compliance with legal requirements.
II. Your rights
The GDPR grants data subjects whose personal data are processed by us certain rights about which we would like to inform you at this point:
Revocation of your consent to data processing
Many data processing operations are only possible with your consent. We will expressly obtain this from you before we start processing the data. You can revoke this consent at any time. For this purpose, an informal notification by email to us is sufficient. The legality of the data processing operations carried out up to the point of revocation remains unaffected by the revocation.
Right to object to data collection (Article 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(f) DSGVO (data processing on the basis of a balance of interests); this also applies to profiling based on this provision.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Right of appeal to a supervisory authority
In the event of violations of the GDPR, those affected have a right of appeal to a supervisory authority. This right of appeal is without prejudice to other administrative or judicial remedies.
Information, deletion and correction
You have the right to receive information free of charge at any time about your stored personal data, its origin and recipients and the purpose of data processing, as well as the right to correct or delete this data. You can contact us at any time by email for this purpose and for further questions on the subject of personal data.
Right to restricting of processing
You have the right to request that the processing of your personal data be restricted. For this purpose you can contact us at any time by email. The right to limit processing exists in the following cases:
- If you dispute the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the review, you have the right to demand the restriction of the processing of your personal data.
- If the processing of your personal data was/is unlawful, you can demand the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it for the exercise, defence or assertion of legal claims, you have the right to demand the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection in accordance with Article 21 (1) GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to demand the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a member state.
Right to data portability
You have the right to have data, which we process automatically on the basis of your consent or in fulfilment of a contract, handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done to the extent technically feasible.
III. Access rights of the PRODUCT
In order to provide our services, we require the access rights listed below, which enable us to access certain functions of your device.
- Wi-Fi connections
- Receiving data from the Internet
- Network access
- Power saving mode (prevent the "sleep mode" from being activated on the device
- Vibration control
Access to the device functions is required to ensure the functionality of the PRODUCT. The legal basis for this data processing is our legitimate interest within the meaning of Article 6 (1) (f) GDPR, your consent within the meaning of Article 6 (1) (a) GDPR and/or - if a contract has been concluded - the fulfilment of our contractual obligations (Article 6 (1) (b) GDPR).
The data collected in this way will generally not be stored for longer than is necessary for the use of the corresponding functions, but at most until 24 hours after the uninstallation of the App.
IV. Collection and processing of personal data
In the following, we describe what personal data we collect, for what purposes we process it and on what legal basis we do so.
Downloading the app
You can download the app from the Google Play Store or the Apple App Store. When downloading apps from the Google Play Store or the Apple App Store, the information required for this is transferred to Google Ireland Limited or Apple Distribution International in Ireland, i.e. in particular user name, e-mail address and customer number of your Google or Apple account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it.
For more information, please see the respective privacy notices of Google (https://policies.google.com/privacy) and Apple (https://www.apple.com/legal/privacy/de-ww/).
When you use our PRODUCT, we collect the following personal data from you, depending on availability:
- Usage data
- IP address
- device identifier
- email address
- Age group
- Mobile IDs (IDFA, IDFV, Android ID etc.)
The processing of this personal data is necessary to guarantee the functionalities of the PRODUCT. The legal basis for this data processing is our legitimate interest within the meaning of Article 6 (1) (f) GDPR, your consent within the meaning of Article 6 (1) (a) GDPR and/or - if a contract has been concluded - the fulfilment of our contractual obligations (Article 6 (1) (b) GDPR).
Server log files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser or the PRODUCT automatically sends to us. These are:
- Operating system used
- Hostname of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
The collection of these data is based on Article 6 (1) (f) GDPR. The operator has a legitimate interest in the technically error-free display and optimization of his application - for this purpose the server log files must be recorded.
Registration in the PRODUCT
You can register in the PRODUCT to use additional features. We will use the data entered for this purpose only for the purpose of using the respective offer or service for which you have registered. The mandatory data requested during registration must be provided in full. Otherwise we will refuse the registration.
In the event of important changes, for example in the scope of the offer or technically necessary changes, we will use the email address provided during registration to inform you in this way.
The data entered during registration is processed for the purpose of implementing the user relationship established by the registration and, if applicable, for the initiation of further contracts (Article 6 (1) (b) GDPR).
The data entered during registration is stored by us for as long as you are registered in this PRODUCT and is then deleted. Legal retention periods remain unaffected.
Redeeming a DiGA unlock code
If you have a DiGA activation code from your health insurance company for the activation of the PRODUCT, then the code will be verified by us with the health insurance company and used to bill the DiGA. This is done on the basis of the DiGAV §4 (2) for the verification of agreements § 134 paragraph 1 sentence 3 of the Fifth Book of the Social Code.
Using the content of the PRODUCT
When you use the content of the PRODUCT, we process data necessary to provide the training and training evaluation features (e.g., age group, answers to questions about your progress, progress data in exercises, consent to training reminders, training settings).
The processing is based on Art. 6 para. 1b GDPR for the fulfillment of a contract or the implementation of pre-contractual measures and Art. 6 para. 1f GDPR to protect our legitimate interests.
Request within the PRODUCT, by email or by phone
If you contact us (e.g. via contact form within the PRODUCT, by email, telephone or fax), your inquiry including all personal data resulting from it (e.g. name, inquiry) will be stored and processed by us for the purpose of processing your request. This data is processed on the basis of Article 6 (1) (b) GDPR, provided that your inquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases the processing is based on your consent (Article 6 (1) (a) GDPR) and/or on our legitimate interests (Article 6 (1) (f) GDPR), as we have a legitimate interest in the effective processing of the inquiries addressed to us. The data sent to us by you via contact request will remain with us until you request us to delete it, revoke your consent for storage or the purpose for which the data was stored no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected. We will not pass on your data without your consent.
For data processing of emails we use the services of mailbox.org of Heinlein Support GmbH. These enable the receipt, processing and sending in case of customer requests, as well as the evaluation of the requests and their processing.
If you would like to receive the newsletter offered in our PRODUCT, we need an email address from you as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter. Further data will not be collected. We use these data exclusively for sending the requested information and do not pass them on to third parties. The dispatch of the newsletter is based on your consent (Article 6 (1) (a) GDPR). You can revoke this consent at any time.
For the maintenance and analysis of our newsletters we use the following data through our service providers:
- Opening of emails
- Clicks on emails
- Newsletter subscriptions
Hosting and Content Delivery Networks (CDN)
The web services belonging to this PRODUCT are hosted by an external service provider (Hoster). The personal data collected in this PRODUCT is stored on the hoster's servers.
The use of the hoster is for the purpose of fulfilling the contract with our potential and existing customers (Article 6 (1) (b) GDPR) and in the interest of a secure, fast and efficient provision of our online services by a professional provider (Article 6 (1) (f) GDPR).
Our hoster will only process your data to the extent necessary to fulfill its performance obligations and will follow our instructions with regard to this data.
In order to ensure that the processing complies with data protection regulations, we have concluded a data processing agreement with our hoster.
We use AWS Europe (Amazon Web Services EMEA SARL) as hoster. Personal data is transmitted encrypted. We store personal data encrypted in Germany.
Data flow of personal data to the USA can be excluded here due to technical and organizational measures. This is due to the following: We are the exclusive and legal owner of the keys used to encrypt personal data. The keys are automatically applied in our service provider's data center in Germany for encryption and administered by us. Technical and organizational measures prevent the service provider from reading the keys or moving them to other data centers outside Germany.
Processing of data within the scope of the DiGAV act
As described above, the DiGA activation code, which can be obtained as part of a prescription from a treating physician or an authorization from your statutory health insurance, can be used in the PRODUCT.
If you obtain the PRODUCT in this way, the DiGAV specifies and supplements the requirements of the General Data Protection Regulation (GDPR) and other data protection requirements for the manufacturer's company and for the DiGA itself.
Personal data may only be processed in a DiGA for the following purposes. (1) for the intended use of the digital health application by the users, (2) for the proof of positive care effects in the context of a trial pursuant to Section 139e (4) of the Fifth Book of the German Social Code, (3) for the proof of agreements pursuant to Section 134 (1) Sentence 3 of the Fifth Book of the German Social Code, and (4) for the permanent guarantee of the technical functionality, user-friendliness and further development of the digital health application.
The intended use of the DiGA by the users includes any data collection and processing that is necessary to use the DiGA in accordance with its intended purpose within the scope of health treatment.
The personal data described above, which you provide as part of the intended use of the PRODUCT, are necessary to ensure the goal of the use of the PRODUCT in the best possible way. The objective of the PRODUCT is described in the introduction above.
The verification of agreements § 134 Paragraph 1 Sentence 3 of the Fifth Book of the German Social Code (Sozialgesetzbuch) primarily serves the purpose of verification for billing the user's health insurance company. Your activation code is recorded and processed for this purpose.
The permanent guarantee of the technical functionality, user-friendliness and further development of DiGA includes the processing of your feedback to improve the app.
The prerequisite for lawful data processing pursuant to Section 4 (2) DiGAV is that you consent to the data processing under the aforementioned purposes. Consents are given during registration in the PRODUCT and can be revoked as described above under "Your rights".
V. Data Analysis
When you access our PRODUCT, your behavior may be statistically evaluated using certain analysis tools and processed exclusively for the purposes described above. When using corresponding tools, we ensure compliance with the statutory data protection provisions. When using external service providers (order processors), we ensure through appropriate contracts with the service providers that the data processing complies with German and European data protection standards.
If you would like to receive the newsletter offered in our PRODUCT, we need your contact data (email address) as well as information that allows us to verify that you are the owner of the contact data provided and that you agree to receive the newsletter.
The contact data may additionally consist of device identifiers to be stored, if you wish us to contact you via push notification.
Further data will not be collected, or only on a voluntary basis. We use this data exclusively for sending the requested information.
The processing of the data provided is based exclusively on your consent (Article 6 (1) (a) GDPR). You can revoke your consent to the storage of the data, the contact data as well as their use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter in the case of emails or via your profile settings in general. The legality of the data processing operations already carried out remains unaffected by the revocation.
The data you have provided us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter or the newsletter service provider and will be deleted from the newsletter distribution list after you unsubscribe. Data that has been stored by us for other purposes remains unaffected.
After you have been removed from the newsletter distribution list, your contact data may be stored in a blacklist by us or the newsletter service provider to prevent future newsletters from being sent. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in compliance with the legal requirements for sending newsletters (legitimate interest in the sense of Article 6 (1) (f) GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.