Privacy policy
1. General information
1.1. Purpose of the Privacy Policy
It is of utmost importance for us to protect your personal data. Therefore, we comply with the applicable data protection provisions, in particular, the EU General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG"), and the Austrian Telecommunications Act ("TKG").
The goal of our Privacy Policy is to provide all necessary information about processing your personal data within XUND application (hereinafter referred to as “XUND” or “App”) in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and assist the data subjects in exercising their rights.
In the Privacy Policy, we may define you as “data subject” in the following. You may find further definitions concerning your personal data within the Appendix of the current Privacy Policy.
1.2. Data of the Data controller
Name: XUND Solutions GmbH
Seat: 1010 Vienna, Dorotheergasse 10/12a
Registry number: FN 495664 v
Tax number: 21914885
Phone number: +43 1 2535999
Email: privacy@xund.ai
Data protection officer: Mag. Nino Tlapak, LL.M
Address: 1010 Vienna, Universitätsring 10
Email: nino.tlapak@dorda.at
Phone number: +43 1 5334795 23
2. Data processing activities within the App
2.1. Usage of the app
2.1.1. Processed personal data and purpose of processing
| Personal data | Purpose of processing | Necessity of the processing |
| Health data of the user and secondary profiles | Collection of medical data for the effective operation of the algorithm, setting up the profile ("My Health" menu) | The processing is optional, however, if you do not provide this information to the App by answering the questions, you will neither be able to use the assessments nor edit the "My Health" menu |
| Location data of the mobile device of the user | Providing information on the nearby healthcare providers to the user | The processing is optional, however, if you do not provide this information to the App, it will not be able to show you the relevant healthcare providers near your location |
2.1.2. Legal basis of processing
The processing of this personal data is based on the data subject's freely given explicit consent declaration (section 9 paragraph 2 point a) of GDPR). The processing of the location data of the mobile device is based on the voluntary express consent of the data subject. You have the right to withdraw your consent at any time with effect for the future.
2.1.3. Duration of the processing
Personal data are stored on your mobile device within the App as long as you do not delete those. All user data are stored within an independent module of the XUND architecture, in encrypted form.
2.2. Crash data
2.2.1. Processed personal data and purpose of processing
We process the following data in case a crash occurs on your phone while using our App:
- Operating system version
- Amount of available memory at the time of the crash
- Generally available total memory
- Whether the device has been jailbroken
- Which line of code caused the crash
This data is generated automatically through the Google Firebase Crashlytics function when you use our App and is necessary so that we can analyze any potential issues with the App.
2.2.2. Legal basis of processing
We process this data on the basis of our legitimate interests in operating a user-friendly and secure App (article 6 point (1) f) of GDPR).
2.2.3. Duration of the processing
This information is anonymized irrevocably and permanently stored for statistical purposes only.
2.3. Processing concerning customer service
We will answer your questions or inspect the circumstances you requested a complaint for concerning the App. The details of processing your personal data for these purposes are described hereunder.
2.3.1. Processed personal data and purpose of processing
|
Personal data |
Purpose of processing |
|
Name |
Identification of the user |
|
Email address |
Contacting the user and providing information if you contact us via email |
|
Phone number |
Contacting the user and providing information if you contact us via our phone number |
|
Your request or message |
Answer your request |
2.3.2. Legal basis of processing
We process the data provided within the course of contacting us solely for processing your enquiry, to get in contact with you if desired, and to provide you with the requested information. This data processing is therefore necessary for the fulfillment of our (pre)contractual obligations. (article 6 point (1) b) of GDPR).
2.3.3. Duration of processing
We process your personal data as long as it is required for this purpose and store it for another six months after the last contact to be able to answer possible follow-up questions.
2.4. Feedback
2.4.1. Processed personal data and purpose of processing
If you decide to give us feedback on our App and services provided, we process only your input information to manage your improvement suggestions and implement them in our services. The feedback function is basically anonymous. We kindly ask you not to include any personal data in your input. Nevertheless, if you do use personal data in the feedback, we will process it as well.
2.4.2. Legal basis of processing
We process this data on the basis of our legitimate interests in the further development and improvement of our App (article 6 point (1) f) of GDPR).
2.4.3. Duration of processing
We process your personal data as long as it is required for this purpose and store it for another three years after the last contact.
3. Can we identify you?
We, as data controllers, only have technical access to your email address. All the other personal data referred to above are end-to-end encrypted, so we do not have the technical possibility to identify you or relate any information to you from those data.
If you rate our App we may exclusively identify you in the case that you provide any personal data within the plain text menu.
4. Transfer of personal data
We do not sell, rent or lease your personal data to third parties.
Within our App, we use additional services and content from third-party providers due to our legitimate interests in the provision, optimization, and economic operation of our App. This regularly requires that the user's IP address is transmitted to these third parties. Without the IP address, they are namely unable to send the requested content to the correct browser. The IP address is, therefore, necessary for the display of this content and the use of the embedded services.
Specifically, we make use of the following third-party services and content in our App:
- Google Firebase
- Google Maps (for Android systems)
- Apple Maps (for iOS systems)
We entrust your personal data to the extent necessary to the following external service providers (data processors) that support us with the performance of our services:
- IT-service providers and/or providers of data hosting solutions or similar services;
- Other service providers, providers of tools, and software solutions that support us with the performance of our Services as well and operate on our behalf (including providers of marketing tools, communication service providers).
All our data processors process your data only on our behalf and on the basis of our instructions so that we can provide you with our services.
Apart from that, we transmit your personal data to the extent necessary to the following recipients (controllers):
- External third parties on the basis of our legitimate interests in the extent necessary (e.g., auditors and tax consultants, insurances in case of insured events, legal representatives in case of incidents, courts, and competent authorities);
- Authorities, courts, and other public entities to the extent legally necessary (e.g., financial or data protection authorities).
5. Data security
We secure your personal information from unauthorized access, use, or disclosure. We secure the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. When personal information (such as connection data) is transmitted to other Websites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) or HTTPS protocol.
Our employees and the employees of the data processors have the right to get acquainted with the personal data of the User, to the extent necessary, for the performance of the tasks which belong to their job. We make all technical and organizational measures that guarantee the security of the data. We and the data processors undertake strict confidentiality rules in a written statement, and we are obliged to act in accordance with these confidentiality rules during the course of our activities.
6. What are your rights?
6.1. Right to access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information featured in point 2.
Since we do not have the technical opportunity to access the data you provided in the App, please use the function “Export data” in the Settings menu in your App to exercise your right to access. Information on data processed outside the App will be provided to you separately at your email address.
6.2. Right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
6.3. Right to erasure and restriction of processing
Under certain circumstances, you have the right to obtain from us the erasure of personal data concerning you without undue delay. Further, you have the right to obtain from us restriction of processing if it is obligatory according to Article 18 of GDPR. If you obtain restriction of processing in accordance with the above, we inform you before the restriction of processing is lifted.
6.4. Right to data portability
You have the right to receive the personal data concerning you, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us if possible according to Article 20 of GDPR. Where technically feasible, you have the right to have the personal data transmitted directly from us to another controller.
6.5. Right to object
Moreover, you have the right to object on grounds relating to your particular situation (Art 21 GDPR). Such an objection can, in particular, occur relating to the processing of data for the purposes of direct marketing. You can exercise your right of objection at any time, e.g., directly via the App.
6.6. Right to withdraw the consent
Additionally, you have the right to withdraw any given consent at any time with effect for the future.
6.7. Right to lodge a complaint
If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you have the option of filing a complaint with the data protection authority.
In Austria, this is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna. Before you file a complaint with the data protection authority or when exercising your rights and other questions, please contact us at privacy@xund.ai
6.8. Identification of the data subject
If we have reasonable doubts concerning the identity of the data subject making the request, we may request the provision of additional information necessary (e.g., ID) to confirm the identity of the data subject.
7. Other provisions
7.1. Processing for a different purpose
If we intend to process the personal data for a purpose other than the original purpose, we will provide you with information about this other purpose and any other necessary information prior to such processing.
7.2. Changes to our Privacy Policy
We will occasionally update this Privacy Policy to reflect feedback. We encourage you to periodically review this Policy to be informed of how we are protecting your information.
December 2022
XUND Solutions GmbH
Controller
8. Appendix – Definitions
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
- ‘controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
- ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
- ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
- ‘supervisory authority concerned’ means a supervisory authority which is concerned with the processing of personal data because:
- ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;