Note: this is an automatic translation of our German terms and conditions.
of DiaMonTech AG for the application "Diamoki" and its website
The protection of your data and privacy is very important to us. We are aware that your personal data and especially your health data are sensitive. Health data is "special personal data" that is particularly worthy of protection. We process your data only to the extent necessary to provide the services you have requested.
1. Purpose and scope
The data protection declaration is valid for the application "Diamoki" and for the associated website.
2. On what legal basis do we process personal data?
DiaMonTech AG, based in Berlin, processes your personal data in connection with the Diamoki app ("App") and the website www.diamoki.de ("Website").
We are the "controller" within the meaning of the General Data Protection Regulation ("GDPR").
Your health data that you enter in the App is considered sensitive personal data according to Art. 9 para. 2 lit. a) GDPR in conjunction with § 4 para. 2 no. 1 DiGAV processed on the basis of your consent. Consent is given explicitly and voluntarily during the registration process in the application.
We process your identification and contact data as well as data on the performance of the contract and communication with you on the basis of the performance of the contract pursuant to Art. 6 (1) lit. b) GDPR.
In addition, we process your personal data insofar as this is necessary for the fulfilment of our legal obligations pursuant to Art. 6 para. 1 lit. c) GDPR. We generally process your personal data to the extent required by relevant legal provisions in relation to our obligation to keep records and related tax obligations or in relation to the legal obligation to keep records.
With your optional consent for technical functionality, you can further consent that we may process the details and information provided by you when setting up the Diamoki App to permanently ensure the technical functionality, user-friendliness and further development of the Diamoki App. Data collected in this context is not necessary for the use of the app per se and has no connection with your health data. The collection of this data (e.g. for user statistics) is optional, but does not relate to system logs and operational metrics that are required for the usual maintenance of safe operation.
3. Why do we process your personal data?
We process your personal data to enable you to register with the application and use its features or the Diamoki website, and to enter into and subsequently perform a contract with you under which you may use the application (the "Contract").
Diamoki is a mobile application designed to assist you in the daily management of your diabetes mellitus or prediabetes (so-called self-management). It provides monitoring and analysis of diabetes-related parameters, which is intended to enable you to improve your self-management and make lifestyle changes to improve your health, reduce the burden of disease, prevent health complications and achieve positive clinical outcomes.
The purpose of processing your daily routine and health data is therefore to provide the app for its intended use as a digital health app.
4. What personal data do we process?
Your data is collected by you providing it to us. Other data is collected automatically by our IT systems after your consent.
Data in the application
We process the following personal data in order to provide the application and to be able to enter into and perform a contract for the use of the application:
○ Identification and contact details
- Email address
○ Health data
- Diabetes type
- Blood glucose levels and history
- Diet and eating habits
- Physical activities
- State of mind
Certain information is already processed automatically as soon as you use the app. When you download the Diamoki app, certain required information is transmitted to the respective app store (e.g. Google Play or Apple App Store). In particular, the user name, the e-mail address, the customer number of your account, the time of the download as well as the individual device identification number may be processed. This data is processed exclusively by the operator of the respective app store and is beyond our control. In this context, information is also transmitted to provide push messages and to monitor app performance. No health data is transmitted or disclosed.
Data on the website
In order to send information and messages about our services or products, we use the email address received when the contract is concluded and the service is provided by us.
Technical data and usage data
Technical data informs us which hardware, operating system and app version you use to use Diamoki. For this purpose, we collect the following data:
- Platform (e.g. iOS or Android).
- Manufacturer and model of your device
- Version of the operating system on your device
- Version of the Diamoki app
User data is data that tells us how you use the app and website. For this purpose, we collect the following data:
- Times and frequency of app use
- Areas of the app that were used
- Duration of use
- App settings used (language settings, notifications)
- Feedback data (incl. email service)
5. When do we process your data?
We collect and store your data (Personal Data, Health Data, Technical Data and Usage Data) while you are using the App and maintaining a user account in the App (see Ch. 4).
If your data is processed on the basis of your consent, the data processing will be terminated as soon as you revoke your consent to this or the purpose of the data processing has ceased.
6. Where do we store your data and how do we process it?
Data processing is primarily carried out electronically, including automated means, in particular by the software ensuring the operation of the Application and the Diamoki Website or by automated means of our processors listed below.
Personal data may also be processed manually in accordance with the relevant purpose if this is necessary or appropriate.
Storage on your terminal device
To improve data protection, we limit the data we store on your device in encrypted form to the following elements:
- email address
- Diabetes type
- Blood glucose levels and history
- Blood pressure
- Diet and eating habits
- Physical activities
Storage on cloud-based server
All your data is stored on servers of our IT service provider T-Systems International GmbH, Frankfurt am Main within the EU, who processes it on our behalf and on the legal basis of Art. 28 GDPR.
- Data transfer - The Diamoki app communicates with the server via encrypted connections using SSL (Secure Socket Layer).
- Firewall - The server we use is located behind a firewall so that it is protected as best as possible from unwanted access.
- ISO 27001 - Both DiaMonTech AG and our provider T-Systems International GmbH are certified according to ISO 27001, an internationally recognised standard for information security.
To protect your personal data, we have taken further appropriate technical and organisational measures in line with the state of the art and in accordance with the GDPR, such as:
- Encryption (Transport Layer Security, TLS; Secure Socket Layer, SSL)
- authorisation data
- Physical security devices
- Authorisation, implementation and enforcement of internal data protection regulations
7. From whom and to whom is personal data transferred?
7.1 Sources of personal data
We collect personal data in the first place from users of the Diamoki app or the Diamoki website. We ask you to only provide us with accurate data and, in the event of a change in personal data, to update it immediately.
We collect data in an automated form that is generated by the activity of the users.
We may collect some data (e.g. about the user's physical activity, blood glucose) from third party devices and applications; typically from mobile applications that collect activity data (Apple Health, Google Fit and others) and blood glucose meters. This data may be used on the condition that the user connects the relevant device to the application for this purpose and authorises data sharing for the purposes of the application under the conditions set out in this document.
7.2 Recipients of personal data
We do not share your data with third parties unless we are required to do so by law or you have given us your explicit and specific consent to do so.
Your consent also includes us sending data to certain third party providers for data processing that is required to provide our service under our TOS.
It also includes the forwarding of data in anonymised form to research institutions for the sole purpose of having our product clinically validated. Only with your explicit and additional specific consent do we also transfer your data to individual doctors or therapists, funding agencies or research institutions.
The following processors may process your personal data on our behalf:
- T-Systems International GmbH, Hahnstraße 43d, D-60528 Frankfurt am Main, Germany, data centre operator https://open-telekom-cloud.com/de/sicherheit/datenschutz-compliance
- Zendesk International Ltd, 55 Charlemont Place, St. Kevins, Dublin, D02 F985, Ireland, e-mail support, company guidelines recognised by the EU (so-called BCRs, Binding Corporate Rules) in accordance with Art. 40 GDPR, whereby Zendesk proves and guarantees that personal data is handled in accordance with data protection law within the meaning of the GDPR
- External employees of the Operator (external consultants and other contractors of the Operator involved in the creation and management of the Application, if the processing of your personal data by a specific employee and for the performance of his or her tasks is strictly necessary.
Unless otherwise stated, we do not transfer personal data outside the EU.
Personal data may be transferred to public authorities for the exercise of their powers.
8. How long do we store your data?
The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of this period, the relevant data will be deleted as a matter of routine, provided they are no longer required for the fulfilment of the contract or the contract initiation.
9. How can you revoke the processing of your personal data?
You can revoke your consent to the processing of your personal data (health data) at any time via the corresponding button in the application (Hauptmenü Einstellungen Imprint, GTC and data protection) as well as via the email address email@example.com. Your user profile will be deleted at this time. This has no effect on the lawfulness of the data processing that took place before the revocation.
With the revocation, any remaining period of use that may have already been paid for expires without the possibility of crediting or reimbursement. The blocking cannot be reversed.
However, information about your health is essential for the proper functioning of the application. If you no longer consent to us processing data about your health for the above purpose, please note that you will no longer be able to use the application.
Your data will be archived for a period of 3 years from the time of revocation in accordance with the statutory retention obligation. They will no longer be processed beyond archiving and can no longer be viewed. After this period, the data will be deleted.
Before revocation, you have the option of transferring your data. You can do this directly in the app (Hauptmenü Impressum, AGBs and data protection) or by sending an e-mail to firstname.lastname@example.org.
If other legal, contractual or tax law or commercial law retention obligations or other legally anchored reasons contradict the revocation, only the continued blocking of your account can be carried out instead of the deletion.
You can revoke your consent to the use of the optional data (technical data) via the corresponding button in the application (Hauptmenü Einstellungen Imprint, GTCs and data protection) as well as via the e-mail address email@example.com at any time without the use of DiGA being restricted for you.
10. What rights do you have regarding your data?
You have the right to obtain information about the origin, recipient and purpose of your stored personal data at any time. You also have a right to request the correction or deletion of this data. If you have given consent for data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
You can find the legal basis for your data subject rights in the following articles of the General Data Protection Regulation:
- Art. 15 GDPR - the right to information (see chap. 11)
- Art. 16 GDPR - the right to rectification (see chap. 13)
- Art. 17 GDPR - the right to erasure (see ch. 13)
- Art. 18 GDPR - the right to restriction of processing (see ch. 13)
- Art. 20 GDPR - the right to data portability (see ch. 14)
- Art. 21 GDPR - the right to object (see ch. 12)
- Art. 7 (3) of the GDPR - the right to withdraw consent (see ch. 9)
- Art. 77 of the GDPR - the right to lodge a complaint with a supervisory authority (see chapter 15).
11. How can you get information about your data?
You have the right to information about your data stored by us. If DiaMonTech AG and/or Diamoki stores personal data about you, we will be happy to send you a copy of this data on request (see Chapter 15). This includes information about the purpose of the storage, category of the stored data, recipients of the data and persons authorised to access the data as well as, if possible, the duration of the data storage and criteria for determining this duration.
12. How can you object to data processing?
In addition to revocation (see chap. 8), you have the right to object to the processing of your data by DiaMonTech AG and/or Diamoki on grounds relating to your particular situation (see chap. 15).
13. How can individual data be corrected, deleted or processing restricted?
Data entered incorrectly in the application can be corrected by you on the same day in the application. Questions in this regard or requests for corrections beyond this can be sent to us (see chapter 15). A partial deletion of your data or a restriction of data processing is possible if there is a legal basis for this according to Art. 17 or Art. 18 GDPR.
14. How can your data be transferred?
It is possible to transfer your stored data in a structured, common and machine-readable format. If desired, there is also the possibility of transferring the data directly to a third party, insofar as this is technically feasible and if we have your explicit and specific consent for this (see chapter 15).
15. Who can you contact about data protection or data protection-related complaints?
For all questions on the subject of data protection or data protection-related complaints, you can contact our data protection officer at any time.
Data Protection Officer
Boxhagener Str. 82A
We will do our best to resolve your concern to your fullest satisfaction.
In addition, you can contact the data protection supervisory authority responsible for your location: https://www.bfdi.bund.de if you do not agree with our handling of your data.
We reserve the right to change this data protection declaration in compliance with data protection law. You will find the current version in an appropriate, easy-to-find place in the app and on the website.
17. Information on your obligations to ensure data security
You can help ensure the maximum security of your data yourself by taking appropriate measures and following basic procedures to ensure the security of the App and the data transmitted through it. According to the contract concluded with DiaMonTech AG, as a user of the application you are obliged to,
- provide virus protection on your devices (if possible),
- not to use shared publicly accessible devices (e.g. in libraries, etc.),
- use other unverified devices to access the application,
- Ideally, only use your own secure and authenticated devices to access the application; and
- not to use publicly accessible networks to access the application and transfer data, especially unsecured Wi-Fi connections.