1. General information
It is of utmost importance for us to protect your personal data. Therefore, we comply with the applicable data protection provisions, in particular the EU General Data Protection Regulation (‘GDPR‘), the Austrian Data Protection Act (‘DSG‘) and the Austrian Telecommunications Act (‘TKG‘).
1.2. Data of the Data controller
|Name:||XUND Solutions GmbH|
|Seat:||1060 Wien, Webgasse 9/2.8.|
|Registry number:||FN 495664 v|
|Phone number:||+43 1 2535999|
2. Data processing activities within the app
2.1. Registration and profile setup
2.2.1. Processed personal Data and purpose of processing
|personal data||purpose of processing||necessity of the processing|
|name (first name, last name) of users for main or side profiles||identification of the user and his/her main or side profiles by the app||the processing of your first name is necessary for the operation of the app (registration), however, you can choose yourself whether you want to provide the full name in the main or side profiles|
|password||performing technical measures||the processing is necessary for the operation of the app (registration)|
|email address||contacting and identification of the user||the processing is necessary for the operation of the app (registration)|
|year of birth, gender||identification of the user and his or her main or side profiles by the app, collection of statistical data for the effective operation of the algorithm||the processing is necessary for the operation of the app (registration, making your main profile), however, you can make side profiles for other users where you can provide these categories of personal data|
|security questions||identification of the user||the processing is necessary for the operation of the app and increasing security of your profile|
2.1.2. Legal basis of processing
We process this personal data for the performance of the contract concluded between you and us (section 6 paragraph 1 point b) of GDPR). You enter the contract by the acceptance of the General Terms and Conditions. If you decide not to provide personal data not necessary for the operation of the app, certain services will not be available for you as described above. Your personal data are stored within the app’s backend.
2.1.3. Duration of the processing
Personal data are stored on your mobile device within the app as long as you do not delete those. All user data are stored within an independent module of the XUND architecture, in encrypted form. Even after you delete your profile from the app, the health data you provided previously stay in this module, however, this information is anonymised irrevocably and used for statistical purposes only (see Pt 2.3).
2.2. Using the App
2.2.1. Processed personal data and purpose of processing
purpose of processing
necessity of the processing
health data of the user and secondary profiles
collection of medical data for the effective operation of the algorithm, setting up the profile (‘My Checks’ menu)
the processing is optional, however, if you do not provide this information to the app by answering the questions, you will neither be able to use the assessments nor to edit the ‘My Checks’ menu
location data of the mobile device of the user
providing information on of the nearby healthcare providers to the user
the processing is optional, however, if you do not provide this information to the app, it will not be able to show you the relevant healthcare providers near to your location
2.2.2. Legal basis of processing
The processing of this personal data is based on the data subject’s freely given explicit consent declaration (section 9 paragraph 2 point a) of GDPR). You have the right to withdraw your consent at any time with effect for the future.
2.2.3. Duration of the processing
Personal data are stored on your mobile device within the app as long as you do not delete those. All user data are stored within an independent module of the XUND architecture, in encrypted form.
2.3. Crash data
2.3.1. Processed personal data and purpose of processing
We process the following data in case a crash occurs on your phone while using our app:
- Operating system version
- Amount of available memory at the time of the crash
- Generally available total memory
- Whether the device has been jailbroken
- Which line of code caused the crash
This data is generated automatically through the Google Firebase Crashlytics function when you use our App and is necessary so that we can analyse any potential issues with the app.
2.3.2. Legal basis of processing
We process this data on the basis of our legitimate interests in operating a user- friendly and secure App (article 6 point (1) f) of GDPR).
2.3.3. Duration of the processing
This information is anonymised irrevocably and permanently stored for statistical purposes only.
2.4. Processing concerning customer service
We will answer your questions or inspect the circumstances you requested a complaint concerning the app. The details of processing your personal data for these purposes are described hereunder.
2.4.1. Processed personal data and purpose of processing
purpose of processing
identification of the user
contacting the user and providing information if you contact us via e-mail
contacting the user and providing information if you contact us via our phone number
your request or message
answer your request
2.4.2. Legal basis of processing
We process the data provided within the course of contacting us solely for processing your inquiry, to get in contact with you if desired and to provide you with the requested information. This data processing is therefore necessary for the fulfilment of our (pre)contractual obligations. (article 6 point (1) b) of GDPR).
2.4.3. Duration of processing
We process your personal data as long as it is required for this purpose and store it for another six months after the last contact to be able to answer possible follow-up questions.
2.5.1. Processed personal data and purpose of processing
We process the personal data that you provided us voluntarily in the course of the registration for the newsletter (your e-mail address and your user name) for sending you e-mail newsletters about our platform, current projects, marketing, and product information.
2.5.2. Legal basis of processing
We process this data on the basis of your consent declaration (article 6 point (1) b) of GDPR).
You can withdraw your consent to the receipt of our newsletter at any time (through the unsubscribe link in our e-mail newsletters) with effect for the future and free of charge. After receipt of your withdrawal, we will cease the further sending of e-mail newsletters immediately and erase your personal data from the mailing list.
2.5.3. Duration of processing
Provided that you have only registered for our newsletter and are, apart from that, no customer of us, we store your data until the withdrawal of your consent and beyond that for a maximum of three years.
2.6.1. Processed personal data and purpose of processing
If you decide to give us feedback on our App and services provided, we process only your input information to manage your improvement suggestions and implement them in our services. The feedback function is basically anonymous. We kindly ask you not to include any personal data in your input. Nevertheless, if you do use personal data in the feedback, we will process it as well.
2.6.2. Legal basis of processing
We process this data on the basis of our legitimate interests in the further development and improvement of our App (article 6 point (1) f) of GDPR).
2.6.3. Duration of processing
We process your personal data as long as it is required for this purpose and store it for another three years after the last contact.
3. Can we identify you?
We, as data controllers only have technical access to your email address. All the other personal data referred to above are end-to-end encrypted so that we do not have the technical possibility to identify you or relate any information to you from those data.
If you rate our app we may exclusively identify you in the case that you provide any personal data within the plain text menu.
4. Additional embedded services and contents of third parties
Within our App, we use further services and contents of third party providers to incorporate their contents and services on the basis of our legitimate interests in the provision, optimisation and economical operation of our App. This regularly requires that the third parties of these contents receive the IP address of the user as they are not able to send the requested contents to the right browser without the IP address. The IP address is therefore necessary for the display of these contents and the use of the embedded services.
Specifically, we have utilised the following services and contents of third parties in our App:
- Google Firebase
5. Possible recipients
We do not sell, rent or lease your personal data to third parties.
We entrust your personal data to the extent necessary to the following external service providers (data processors) that support us with the performance of our services:
- IT-service providers and/or providers of data hosting solutions or similar services;
- Other service providers, providers of tools and software solutions that support us with the performance of our Services as well and operate on our behalf (including providers of marketing tools, communication service providers).
All our data processors process your data only on our behalf and on the basis of our instructions so that we can provide you with our services.
Apart from that, we transmit your personal data to the extent necessary to the following recipients (controllers):
- External third parties on the basis of our legitimate interests in the extent necessary (e.g. auditors and tax consultants, insurances in case of insured events, legal representatives in case of incidents, courts and competent authorities);
- Authorities, courts and other public entities to the extent legally necessary (e.g. financial or data protection authorities).
6. Data security
We secure your personal information from unauthorised access, use or disclosure. We secure the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorised access, use or disclosure. When personal information (such as connection data) is transmitted to other Websites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) or HTTPS protocol.
Our employees and the employees of the data processors have the right to get acquainted with the personal data of the User, to the extent necessary, for the performance of the tasks which belong to their job. We make all technical and organisational measures that guarantee the security of the data. We and the data processors undertake strict confidentiality rules in a written statement, and we are obliged to act in accordance with these confidentiality rules during the course of our activities.
7. What are your rights?
7.1. Right to access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information featured in point 2.
Since we do not have the technical opportunity to access the data you provided in the app, please use the function ‘Export data‘ in the Settings menu in your App to exercise your right to access. Information on data processed outside the App will be provided to you separately to your e-mail-address.
7.2. Right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
You can update your profile with the use of your password.
7.3. Right to erasure and restriction of processing
Under certain circumstances, you have the right to obtain from us the erasure of personal data concerning you without undue delay. Further you have the right to obtain from us restriction of processing if it is obligatory according to Article 18 of GDPR. If you obtain restriction of processing in accordance with the above, we inform you before the restriction of processing is lifted.
You can delete each and any of your profiles form the app with the use of your password.
7.4. Right to data portability
You have the right to receive the personal data concerning you, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us if possible according to Article 20 of GDPR. Where technically feasible, you have the right to have the personal data transmitted directly from us to another controller.
7.5. Right to object
Moreover, you have the right to object on grounds relating to your particular situation (Art 21 GDPR). Such an objection can in particular occur relating to the processing of data for the purposes of direct marketing.
7.6. Right to withdraw the consent
Additionally, you have the right to withdraw any given consent at any time with effect for the future.
7.7. Right to lodge a complaint
You have the right to make a complaint to the Austrian (https://www.data-protection-authority.gv.at/) Supervisory Authority.
Before you make a complaint or if you have any questions relating to data processing, you can contact us at firstname.lastname@example.org
7.8. Identification of the data subject
If we have reasonable doubts concerning the identity of the data subject making the request, we may request the provision of additional information necessary (e.g. ID) to confirm the identity of the data subject.
8. Other provisions
8.1. Processing for a different purpose
If we intend to process the personal data for a purpose other than the original purpose, we will provide you with information about this other purpose and any other necessary information prior to such processing.
Effective: February 2021
XUND Solutions GmbH
9. Appendix – Definitions
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- ‘anonymisation’ means the irrevocable alteration of personal data in a such a manner that the data can no longer be related to an identified or identifiable natural person;
- ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- ‘enterprise’ means a natural or legal person engaged in economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- group of undertakings’ means a controlling undertaking and its controlled undertakings;
- ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
- ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
- ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
© 2021 XUND Solutions GmbH
© 2021 XUND Solutions GmbH