1. General
1.1. Introduction
The NeuroNation MED application is a mobile application for computer-assisted cognitive training based on playful exercises of various cognitive functions (Multi-Domain Cognitive Training). Numerous individual tasks and progress control functions are available within the application for training these skills. The application aims to alleviate the symptoms of patients with mild cognitive impairments. The NeuroNation MED application is a Class I medical device according to the Medical Device Regulation 2017/745 and the Medical Devices Implementation Act.
We take the protection of your personal data very seriously and treat it confidentially and in accordance with the statutory data protection regulations and this privacy policy. This privacy policy applies to the NeuroNation MED iOS and Android apps (hereinafter "APPLICATION"). This document explains the nature, purpose, and scope of data collection in the context of using our products.
The following notes provide a simple overview of what happens to your personal data when you visit or use our APPLICATION. Personal data is all data with which you can be personally identified. Detailed information on the subject of data protection can be found in our privacy policy listed below. Health data is all data relating to a person's physical or mental health, including the provision of health services, and gives information about their health status.
We point out that data transmission over the Internet can have security gaps. A complete protection of the data from access by third parties is not possible. Please also ensure that you alone have access to your device and use trustworthy networks. Security issues that could otherwise arise cannot be fully addressed by us.
1.2. Responsible Entity
The responsible entity for data processing within this APPLICATION is:
Synaptikon GmbH
Friedrichstraße 68
10117 Berlin, Germany
Email: info@neuronation-med.de
“Responsible entity” is the entity that collects and processes personal data (e.g. names, email addresses, etc.).
1.3. Data Protection Officer
For general questions about data protection, you can contact our data protection officer Mike Peter at the following email address: Email: dpo@neuronation.de
1.4. General Storage Duration of Personal Data and Health Data
Subject to differing or more specific information within this privacy policy, the personal data collected within the framework of this APPLICATION will be stored until you request us to delete it (see 6. Deletion of Data (Deletion Concept)), revoke your consent to storage, or the purpose of data storage ceases to apply. If there is a legal retention obligation or another legally recognized reason for data storage (e.g., legitimate interest), the relevant personal data and health data will not be deleted until the respective purpose for storage ceases to apply.
1.5. Legal Basis for Storing Personal Data and Health Data
The processing of personal data and health data is only permissible if there is an effective legal basis for processing these data. If we process your data, this is regularly done based on your consent according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2, for the purpose of fulfilling a contract according to Art. 6 para. 1 lit. b GDPR (e.g., when using activated functions of the APPLICATION) or based on legitimate interests according to Art. 6 para. 1 lit. f GDPR, which are always subject to a balance of your interests. The respective legal bases are mentioned at separate points in this privacy policy if applicable.
1.6. Encryption
This APPLICATION uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as inquiries you send to us as the operator or communication between users. This encryption prevents the data you transmit from being read by unauthorized third parties.
1.7. Changes to this Privacy Policy
We reserve the right to change this privacy policy at any time in compliance with legal requirements.
2. You have the following statutory data protection rights:
2.1. General
The GDPR grants data subjects whose personal and health data we process certain rights, which we would like to inform you about here:
- Right to information (Art. 15 GDPR, § 34 BDSG)
- Right to deletion (Art. 17 GDPR, § 35 BDSG)
- Right to correction (Art. 16 GDPR, § 34 BDSG)
- Right to restriction of processing (Art. 18 GDPR)
- Right to notification and communication in connection with the correction, deletion, or restriction of processing to recipients (Art. 19 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to withdraw consent (Art. 7 para. 3 GDPR)
- Right to object (Art. 21 GDPR)
- Right not to be subject to automated decision-making in individual cases or profiling (Art. 22 GDPR)
You can exercise your rights described here at any time by contacting us. You can find our contact details under point 1 "Responsible Body" or "Data Protection Officer". You also have the right to lodge a complaint with the data protection supervisory authority responsible for us. In Berlin – our headquarters – this is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin. Alternatively, you can also contact the data protection authority of your place of residence, which will forward your concern to the competent authority.
Data processing operations within the framework of the APPLICATION are only possible with your consent. Before data processing begins, we will explicitly obtain your consent. You can revoke this consent at any time via the app settings or by email. An informal notification to info@neuronation-med.de is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
2.2. Information about Your Right to Object according to Art. 21 GDPR
You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data and health data based on Art. 6 para. 1 para. 1 lit f GDPR; this also applies to profiling based on these provisions. The respective legal bases on which the processing is based can be found in this privacy policy. If you object, we will no longer process your personal data and health data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
2.3. Right to Lodge a Complaint with a Supervisory Authority
In the event of violations of the GDPR, the data subject has the right to lodge a complaint with a supervisory authority. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy. A list of supervisory authorities (for the non-public sector) with addresses can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
2.4. Right to Restrict Processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time by email. The right to restrict processing exists in the following cases:
- If you contest the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it for the establishment, exercise, or defense of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have objected according to Art. 21 para. 1 GDPR, a balance must be struck between your and our interests. As long as it is not clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.
- If you have restricted the processing of your personal data, these data – apart from their storage – may only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.
2.5. Right to Data Portability
You have the right to receive data that we process based on your consent or in fulfillment of a contract in an automated manner in a common, machine-readable format either to yourself or to a third party. If you request the direct transfer of the data to another controller, this will only be done to the extent technically feasible.
2.6. Information, Deletion, and Correction
You have the right at any time to free information about your stored personal data and health data, their origin and recipients, and the purpose of data processing as well as a right to correction or deletion of these data. For this purpose and for further questions on the subject of personal data and health data, you can contact us at any time by email.
3. Access Rights for the Application
In order to provide our services through the APPLICATION, we require the access rights listed below, which allow us to access certain functions of your device.
- WiFi connections
- Receiving data from the Internet
- Network access
- Battery saving mode (prevents the device from entering "sleep mode")
- Vibration control
To ensure the functionalities of the APPLICATION, access to the device functions is required. The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO, your consent pursuant to Art. 6 para. 1 lit. a DSGVO and/or – if a contract has been concluded – the fulfillment of our contractual obligations (Art. 6 para. 1 lit. b DSGVO). The data collected in this way is generally not stored longer than necessary for the use of the respective functions, but no longer than 24 hours after the uninstallation of the app.
4. Collection and Processing of Personal Data and Health Data within the Use of the APPLICATION
Below we describe which personal data we collect, for which purposes we process it, and on which legal basis we do so.
4.1. Downloading the App
You can download the app from the Google Play Store or the Apple App Store. When downloading apps from the Google Play Store or the Apple App Store, the necessary information will be transmitted to Google Ireland Limited or Apple Distribution International in Ireland, respectively, such as the username, email address, and customer number of your Google or Apple accounts, the time of download, and the unique device ID. We have no influence on this data collection and are not responsible for it. For more information, please refer to the respective privacy notices of Google (https://policies.google.com/privacy) and Apple (https://www.apple.com/legal/privacy/de-ww/).
4.2. General
When you use our APPLICATION, we collect the following personal and health data from you, depending on availability:
- Usage data
- Metadata
- IP address
- Device ID
- Email address
- Time zone
- Language
- Age group
- Mobile IDs (IDFA, IDFV, Android ID, etc.)
- Results from questionnaires and evaluations
The processing of this personal data and health data is necessary to ensure the functionality of the APPLICATION. The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f DSGVO, your consent pursuant to Art. 6 para. 1 sentence 1 lit. a DSGVO and/or – if a contract has been concluded – the fulfillment of our contractual obligations (Art. 6 para. 1 lit. b DSGVO).
4.3. Server Log Files
The server provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur. The privacy policy of IONOS SE can be found here: https://www.ionos.de/terms-gtc/terms-privacy. The server provider automatically collects and stores information in so-called server log files, which your browser or the APPLICATION automatically transmits to us. These are:
- Used operating system
- Hostname of the accessing computer
- Time of the server request
- IP address
This data will not be combined with other data sources. The data collection is based on Art. 6 para. 1 lit. f DSGVO. The operator has a legitimate interest in the technically error-free presentation and the optimization of its APPLICATION – for this purpose, the server log files must be collected. In the case of our medical product version 1.2.2 or lower, the following service provider was previously used for data processing and encryption in Germany instead of IONOS SE: AWS Europe (Amazon Web Services EMEA SARL), 38 avenue John F. Kennedy, L-1855 Luxembourg. The privacy policy of AWS Europe can be found here: https://aws.amazon.com/de/compliance/data-privacy. From our medical product version 1.2.3 onwards, this service provider is no longer used.
4.4. Registration in the APPLICATION
You can register or create an account in our APPLICATION. For registration, you need the following data:
- Your email address
- Your freely chosen password
After successful registration and confirmation of your email address, you can log in with your email address and password. We process the aforementioned data so that you can use the APPLICATION and manage your profile. For important changes, such as in the scope of offers or technically necessary changes, we use the email address provided during registration to inform you in this way. The data collected during registration (email address and password) will be stored by us as long as you are registered in this APPLICATION. Statutory retention periods and the deletion policy according to Section 6.ff. remain unaffected.
By completing the registration in the APPLICATION, you consent to the processing of personal data and health data for the purpose of using the APPLICATION and for evidence purposes pursuant to § 134 para. 1 sentence 3 SGB V.
4.5. Redemption of an Activation Code
If you have received a DiGA activation code ("Digital Health Application") from your health insurance company to unlock the training functions of the APPLICATION, we verify this code with the health insurance company for billing purposes in accordance with the DiGAV (Digital Health Applications Ordinance) §4 (2) for the verification of agreements § 134 paragraph 1 sentence 3 of the Fifth Book of the Social Code.
4.6. Use of the CONTENT of the APPLICATION
When you use the CONTENT of the APPLICATION, we process data necessary for the provision of training and training evaluation functions (e.g., age group, answers to questions about your progress, progress data in exercises, consent to training reminders, training settings). The processing is based on Art. 6 para. 1 lit. f DSGVO. 6 para. 1b DSGVO for the performance of a contract or for pre-contractual measures as well as Art. 6 para. f DSGVO to safeguard our legitimate interests.
4.7. Inquiries via E-Mail
When you contact us by e-mail, you will receive an initial response within 24 hours. Your inquiry including all resulting personal data (e.g., e-mail address, inquiry) will be stored and processed by us for the purpose of processing your request. Data processing is based on Art. 6 para. 1 lit. b DSGVO, insofar as your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on your consent (Art. 6 para. 1 lit. a DSGVO) and/or on our legitimate interests (Art. 6 para. 1 lit. f DSGVO), as we have a legitimate interest in the effective processing of the inquiries addressed to us. The data transmitted by you to us via contact requests will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage ceases to apply (e.g., after completed processing of your request). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected. We do not pass on your data without your consent. For the processing of e-mails, we use the services of https://mailbox.org by Heinlein Support GmbH and Zammad by Zammad GmbH. These services enable the receipt, processing, and dispatch of customer inquiries, as well as the evaluation and processing of inquiries.
You can find the privacy policy of mailbox.org here: https://mailbox.org/de/datenschutz
You can find the privacy policy of Zammad here: https://zammad.org/gdpr
4.8. Newsletter Data
If you wish to subscribe to the newsletter offered within our APPLICATION, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. No further data is collected. We use these data exclusively for sending the requested information and do not pass them on to third parties.
The dispatch of the newsletter is based on your consent (Art. 6 para. 1 lit. a DSGVO) for the purpose of the intended use, user-friendliness, and further development of the APPLICATION in accordance with § 4 para. 1 lit. a DSGVO. 2 DiGAV. You can revoke this consent at any time. For the dispatch of the newsletter, we use the following service providers: Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin. The privacy policy of the service provider and its product can be found here: http://mailbox.org https://mailbox.org/de/datenschutz We also use the following service providers in this context: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur.
You can find the privacy policy of IONOS SE here: https://www.ionos.de/terms-gtc/terms-privacy With our medical device version 1.2.2 or lower, the following service provider was used in Germany instead of IONOS SE: AWS Europe (Amazon Web Services EMEA SARL), 38 Avenue John F. Kennedy, L-1855 Luxembourg. The privacy policy of AWS Europe can be found here: https://aws.amazon.com/de/compliance/data-privacy
4.9. Hosting and Content Delivery Networks (CDN)
The web services associated with this APPLICATION are hosted by an external service provider (hoster). The personal data collected in this APPLICATION is stored on the servers of the hoster. The use of the hoster serves the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b DSGVO) and in the interest of a secure, fast, and efficient provision of our online offering by a professional provider (Art. 6 para. 1 lit. f DSGVO). Our hoster will process your data only to the extent necessary to fulfill its contractual obligations and will follow our instructions regarding this data. In order to ensure data processing in compliance with data protection regulations, we have concluded a data processing agreement with our hoster. As a hoster, we use IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (IONIC).
You can find the privacy policy of IONOS SE here: https://www.ionos.de/terms-gtc/terms-privacy Personal data is transmitted encrypted and stored in Germany.
With our medical device version 1.2.2 or lower, the following provider was used in the APPLICATION instead of IONOS SE: AWS Europe (Amazon Web Services EMEA SARL), 38 Avenue John F. Kennedy, L-1855 Luxembourg. The privacy policy of AWS Europe can be found here: https://aws.amazon.com/de/compliance/data-privacy
4.10. Processing of Data within the Framework of the Ordinance on Digital Health Applications (DiGAV)
As described above, in the APPLICATION, the DiGA activation code can be entered, which is available within the framework of a prescription by a treating physician, therapist, or approval from your statutory health insurance. If you receive the APPLICATION in this way, the Ordinance on Digital Health Applications, DiGAV, specifies and complements the requirements of the General Data Protection Regulation (GDPR) and other data protection requirements for the manufacturer's company and for the DiGA itself. The personal data and health data are processed exclusively for the following purposes: (1) for the intended use of the digital health application by the user, (2) for demonstrating positive care effects within the framework of an examination pursuant to § 139e paragraph 4 of the Fifth Book of the Social Code, (3) for demonstrating agreements pursuant to § 134 paragraph 1 sentence 3 of the Fifth Book of the Social Code, and (4) for the permanent guarantee of the technical functionality, user-friendliness, and further development of the digital health application.
The demonstration of agreements pursuant to § 134 paragraph 1 sentence 3 of the Fifth Book of the Social Code primarily serves the billing with your health insurance company. For this purpose, your activation code is collected and processed. The permanent guarantee of technical functionality, user-friendliness, and the further development of the DiGA includes the processing of your feedback to improve the app. The prerequisite for lawful data processing pursuant to § 4 para. 2 DiGAV is that you consent to data processing for the purposes mentioned above. Consent is given during registration in the APPLICATION as described above under point 2 and can be revoked as described above.
4.11. Information about the Prescribing Physician and/or Health Insurance
Depending on whether you have a prescription and an activation code, we process your data, which may also include health data, in two ways. You will be asked for information about "Who prescribed NeuroNation MED to you?". The data processing described below can be combined depending on the consent you give us. In both cases, the information is optional. Please skip this information if you do not wish to provide it.
4.11.1. Information about Health Insurance as part of the intended use of the NeuroNation MED App
To assist you in fully and correctly using the app (this is to ensure proper use of the app), we ask for the name of the doctor who prescribed NeuroNation MED to you. We do this to ensure that you use our DiGA under the following conditions:
- Your doctor prescribed the NeuroNation MED app to you, i.e., you have a valid prescription.
- You have downloaded the app.
- You have set up and registered a user account.
By clicking the "Send" button, you also agree that we will inform you by email on how to best interact with your health insurance company regarding the activation of NeuroNation MED. As processing speed and pathways may vary depending on the health insurance company, we support you in obtaining an activation code as quickly as possible and using the app as intended. Additionally, by clicking the "Send" button, you agree that NeuroNation MED may contact you by email and telephone to offer assistance with activation. The legal basis is your consent (Art. 9 para. 2 a), 6 para. 1 lit. a DSGVO, §4 para. 2 no. 1 DiGAV).
4.11.2. Improving User Friendliness: Information about Health Insurance and Doctor
For the further development of our DiGA, we ask for information about the prescribing doctor (first and last name, postal code, city) and the name of your health insurance company. We do this to identify any process gaps in the activation of already prescribed DiGAs and to take targeted measures to continuously improve user friendliness. The legal basis for this is your consent (Art. 9 para. 2 a), 6 para. 1 lit. a DSGVO, §4 para. 2 no. 4 DiGAV).
4.12. Inquiries by Telephone
When you contact us by telephone, your request including all resulting personal data (e.g., telephone number, inquiry data) will be stored and processed by us for the purpose of handling your request. Data processing is based on Art. 6 para. 1 lit. b DSGVO, to the extent that your request is related to the fulfillment of a contract or necessary for the implementation of pre-contractual measures. In all other cases, processing is based on your consent (Art. 6 para. 1 lit. a DSGVO) and/or our legitimate interests (Art. 6 para. 1 lit. f DSGVO), as we have a legitimate interest in effectively processing inquiries addressed to us. The data transmitted by you to us via contact inquiries will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for data storage no longer applies (e.g., after your inquiry has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected. We do not disclose your data without your consent. For the processing of telephone inquiries, we use the services of sipgate. This service enables voice-over-IP communication. You can find sipgate's privacy policy here: https://www.sipgate.de/datenschutz.
5. Data Analysis
When you access our APPLICATION, your usage behavior may be used to demonstrate positive care effects in the context of an examination under § 139e para. 4 SGB V, to demonstrate agreements under § 134 para. 1 sentence 3 SGB V, and to demonstrate agreements under § 134 para. 1 sentence 3 SGB V. Statistical evaluations may be carried out for the permanent assurance of technical functionality, user-friendliness, and further development of the DiGA. When using external service providers (processors), we ensure through corresponding contracts with the service providers that data processing complies with German and European data protection standards.
6. Deletion of Data (Deletion Concept)
Processing of your personal and health data is based solely on your consent when registering for the APPLICATION.
You can revoke your consent at any time in the app settings. If you withdraw your consent, you will not be able to use the application. The consent remains valid until revoked.
In addition, you have the right to deletion and to be forgotten, allowing you to request the deletion of your data. In addition to the Federal Data Protection Act and the General Data Protection Regulation, as well as other laws (in particular the Fiscal Code (AO), the Commercial Code (HGB), and the Social Security Code (SGB)), Synaptikon GmbH is subject to various types of data and document retention obligations. In principle, we only store all data for as long as necessary to fulfill legal and contractual obligations. We will promptly delete the data thereafter. Specific deletion deadlines can be found in the following sections.
6.1. Deletion of User Data
Synaptikon GmbH collects and processes certain user data, which are personal and health data pursuant to Art. 6 para. 1 lit. f GDPR. 9 para. 1 GDPR (e.g., email address, survey results, IP address). To exercise your right to deletion and to be forgotten, simply log into the APPLICATION. You can then request the deletion of your account and your data in your profile. If you have requested deletion, all personal and health data not subject to legal retention requirements will be deleted promptly.
If you do not proactively request deletion of your data, all personal and health data will be deleted after expiration of your access. For your convenience, during registration, you can optionally consent to access your data for an additional 30 days after the expiration date to allow time to enter a new activation code for your existing account. You can revoke this optional consent at any time via the app settings. Without a new activation code, your data will be deleted after this extended period.
6.2. Deletion of Billing Data
For accounting reasons, billing data must be retained for up to ten years after your deletion request. We are legally obligated to do so by the Commercial Code, the Fiscal Code, the Money Laundering Act, and the Medical Devices Act. To fully comply with your deletion request, we will also restrict and pseudonymize such data subject to legal retention obligations immediately upon your request through technical measures, so that assignment of the data to your user profile is no longer possible. This way, your pseudonymized data will be securely stored only for legal retention purposes.
6.3. App Deletion - Uninstalling
Uninstalling our mobile application on your mobile phone deletes only the application itself, not the data stored up to that point. To delete your data, please follow the steps described in Section 6.