Privacy Policy
The controller takes the protection of your personal data seriously and therefore adheres to the applicable data protection laws. With this Privacy Policy, the controller complies with its information obligations under Art. 12 et seq. of the General Data Protection Regulation (hereinafter referred to as "GDPR") and informs you about the details of the processing of your data as well as about your legal rights in this regard.
The controller reserves the right to adapt this Privacy Policy with future effect, in particular in response to changes in the law or case law as well as technical developments.
Please read this Privacy Policy in connection with the General Terms and Conditions of Business and Use of the Controller.
1. Definitions
- According to Art. 4 No. 7 GDPR, the "controller" is the party that decides the purposes and means of processing personal data. Above all, the controller determines what, how and for what purpose processing occurs. It is responsible for the processing and must ensure that the data protection regulations are complied with.
- According to Art. 4 No. 8 GDPR, the "processor" is the party that acts for the controller and processes personal data on its behalf.
- According to Art. 4 No. 1 GDPR, "personal data" means all information that can be assigned to a directly or indirectly identifiable natural person ("data subject").
- "Processing" means all possible types of data processing in accordance with Art. 4 No. 2 GDPR. These include, in particular, the collection, recording, organisation, ordering, storing, adapting, modifying, reading, querying, using, disclosing, transmitting, distributing, linking, restricting, deleting or destroying personal data.
- According to Art. 4 No. 1 GDPR, "data subject" is the natural person to whom the data processed by the controller can be directly or indirectly assigned.
- According to Art. 4 No. 9 GDPR, "recipient" is the party to which personal data are disclosed, regardless of whether it is a third party or not.
- According to Art. 4 No. 10 GDPR, "third party" means anyone, except the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process personal data.
- According to Art. 9 (1) GDPR, "special categories of personal data" are in particular also health data of the data subject. These data are subject to a higher standard of protection.
- According to Art. 4 No. 15 GDPR, "health data" means personal data relating to the physical or mental health of the data subject and from which information about the state of health of the data subject emerges.
- "Consent" means, pursuant to Art. 4 (11) of the GDPR, any freely given, specific, informed and unambiguous indication of the data subject's wishes in the form of a statement or other clear affirmative action (e.g. ticking a checkbox provided for that purpose) by which the data subject indicates that he or she agrees to the processing of his or her personal data.
- "Service Provider" within the meaning of this Privacy Policy is the doctor or pharmacist who provides the medical pharmaceutical service you have booked.
2. Information on the controller
Responsible for the data processing within the scope of the service offer within the meaning of Art. 4 No. 7 GDPR is, as the provider of the service offer:
Canify Health GmbH
Kastanienallee 89
10435 Berlin
as represented by the Management.
If you have any questions about the processing of your data within the scope of the service offer, you can contact the data controller by e-mail at kontakt@canifyclinics.com.
3. Questions about data protection
If you have any questions about the processing of your data by the controller and regarding the exercise of your rights as a data subject, you can contact the provider or its data protection officer:
Mailing address:
Canify Clinics GmbH
Kastanienallee 89
10435 Berlin
e-mail: kontakt@canifyclinics.com
Data Protection Officer:
With regards to Data Protection the Canify Health GmbH is being represented by:
Christian Volkmer,
Projekt 29 GmbH & Co. KG
Ostengasse 14,
93047 Regensburg
Please note that in the event of an assertion of data subject rights (e.g. request for information), the controller must first verify your identity by means of a suitable procedure.
4. Notes on data security
In order to ensure the best possible protection for your data, the online platform uses Secure Socket Layer encryption (SSL) or Transport Layer Security Encryption (TLS). This encryption ensures that the data transmitted by you cannot be read, redirected or changed by unauthorized third parties during transmission.
Insofar as your data are stored by the controller, this storage takes place exclusively in correspondingly security-certified data centers within the European Union (EU) within the scope of the GDPR. The controller expressly reserves the right to involve external service providers for the storage and processing of your data, who, however, act exclusively on behalf of and in accordance with the instructions of the controller (processors). The processors employed by the controller are contractually obliged by the controller to take such technical and organizational measures (TOMs) that, given to the current state of the art, are suitable for ensuring data protection and data security-compliant processing of your data.
Under no circumstances will the controller or a processor employed by the controller pass your data along to third parties without a legal basis or sell them.
5. Your rights as a data subject
As a "data subject" within the meaning of Art. 4 No. 1 GDPR, you have certain, inalienable rights (rights of data subjects). Accordingly, you have the right
- in accordance with Art. 15 GDPR, to request information about which data the controller has stored about you;
- in accordance with Art. 16 GDPR, to immediately request rectification or completion of the data the controller has stored about you;
- in accordance with Art. 17 GDPR, to request erasure of the data stored by the controller about you, unless this is precluded by a case envisioned under Art. 17 (3) GDPR;
- in accordance with Art. 18 GDPR, to demand restriction of the processing of the data stored by the controller about you, provided that the requirements of Art. 18 (1) (a)-(d) GDPR are met;
- in accordance with Art. 20 GDPR, to request the barrier-free transmission of the data stored by the controller about you, in a structured, commonly used and machine-readable format;
- in accordance with Art. 21 GDPR, to object to the processing of your data if they are processed by the controller on the legal basis of Art. 6 (1) (f) GDPR ("legitimate interest") and your objection arises from a particular situation or is directed against direct marketing. In the latter case, you can also object to the processing without providing any reason;
- in accordance with Art. 7 (3) GDPR, to revoke your consent to the processing of your personal data at any time with future effect;
- to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.
You can assert your rights as a data subject by notifying the controller using the above contact details. The controller reserves the right to verify your identity by means of an appropriate procedure.
6. Use of the online platform, access data
As soon as you use the online platform of the controller at www.canifyclinics.com, the browser you use automatically transmits access data (known as “log files”) to the hosting provider of the platform. These log files contain, among other things, personal data.
Processed data:
- IP address
- Browser type/version
- Operating system of the device used
- Website from which the request comes (known as the “referrer URL”)
- Content of the request (specific page)
- Language settings
- Date and time of the request
- Time zone
- Access status/http status code
- Amount of data transferred
Purposes of processing:
The log files are absolutely necessary to ensure the technical functionality of the online platform. Specifically, the transmission of your IP address is necessary to enable the display of the online platform on the device you are using. The data stored in the context of the log files will neither be merged with other data sources nor used by the provider to identify individual users of the service offer. In particular, there is no evaluation of the transmitted data for marketing purposes.
Legal basis of processing:
The controller bases the lawfulness of this processing on Art. 6 (1) (f) GDPR. The provider bases the "legitimate interest" required for this on its desire to offer you a secure and trouble-free user experience of its online offers.
Recipients of the data:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the online platform on the servers of which it is operated. In this context, the hosting provider acts as a processor within the meaning of Art. 4 No. 8 GDPR for the controller and has been obliged by the controller accordingly on the basis of an order processing contract (in German: AV contract) to establish and maintain suitable technical and organisational measures (TOMs) that serve to protect your personal data.
Storage duration:
The log files are automatically deleted or distorted in such a way that an assignment to you is no longer possible after 14 days at the latest.
Note on your rights as a data subject:
You have the right to object to this processing at any time in accordance with Art. 21 GDPR, for reasons arising from your particular situation. Unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or for the establishment, exercise or defence of legal claims, the controller is required to discontinue its processing of your personal data.
7. Use of cookies
In addition to the aforementioned access data (log files), cookies are used as part of the provider's online platform. These are small text files that are automatically stored by the browser and device you are using. Cookies do not contain viruses, Trojans or other malware that could damage the device you are using. In this context, please note that the use of certain cookies may be necessary for technical reasons (e.g. to enable the display of the platform on your device). Distinguishable from these "technically necessary cookies" are cookies the use of which serves other purposes (e.g. analysis of usage behaviour within the framework of the platform). These are "technically non-necessary cookies".
In the following, initially only processing in the context of the use of technically necessary cookies is discussed. If the provider uses technically non-necessary cookies for purposes of usage analysis, you will be informed about this in separate sections of this Privacy Policy.
Processed data:
- Form data (e.g. log-in information)
- Language settings
- History data (e.g. entered search terms)
Purposes of processing:
The cookies used by the provider enable it to determine that you have already visited individual areas or pages of the online platform and ensure that you do not have to repeat certain entries and settings that you have already made within the framework of the platform. If you have a user account within the online platform, the cookies used will also be used, among other things, to identify you when you return.
Legal basis of processing:
The controller bases the lawfulness of this processing on Art. 6 (1) (f) GDPR. The provider bases the "legitimate interest" required for this on its desire to offer you a secure and trouble-free user experience of its online offers.
Storage duration:
The cookies used are either deleted immediately when you stop calling up the online platform or only after a specified period of time that cannot be determined by the provider.
Note on your rights as a data subject:
You have the right to object to this processing at any time in accordance with Art. 21 GDPR, for reasons arising from your particular situation. Unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or for the establishment, exercise or defence of legal claims, the controller shall cease processing.
You can also prevent the use of cookies by deactivating or gradually restricting the automatic setting of cookies in the settings of the browser you are using. Cookies already stored on the device you are using can also be deleted manually by you in this context. Please note, however, that partial or complete deactivation of cookies in the settings of your browser may mean that you can no longer use the provider's online platform or can no longer use it to its full extent.
8. Disclosure of data to third parties
The controller will only pass your data along to third parties within the meaning of Art. 4 No. 10 GDPR if
- you have given your express consent to the transfer in accordance with Art. 6 (1) (a) GDPR;
- the transfer in accordance with Art 6 (1) (b) GDPR is necessary to initiate or process a contract between you and the controller;
- the controller is legally obliged to pass on the data in accordance with Art 6 (1) (c) GDPR;
- disclosure pursuant to Art. 6 (1) (f) GDPR on the basis of the "legitimate interest" of the controller is necessary for the establishment, exercise or defence of legal claims and there is no reason to believe that you have an overriding, vulnerable interest in not disclosing your data.
9. Contacting the controller
You have the option of contacting the controller via e-mail. The processing of your request makes it necessary for the controller to process the personal data transmitted by you in the context of the request.
Processed data:
- First name, last name
- Date and time of your request
- e-mail address
- Content of your request
Purposes of processing:
The processing of the data transmitted by you in the context of establishing contact is carried out by the controller exclusively for the purpose of processing and answering your request.
Legal basis of processing:
The controller bases the lawfulness of this processing on Art. 6 paragraph 1 letter f) GDPR ("lawfulness of processing ") or on Art. 6 paragraph 1 letter b) GDPR, provided that your contact takes place in the context of the initiation or processing of the contract. The "legitimate interest" follows from the controller's wish to answer your request comprehensively and systematically.
Recipients of the data:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the online platform on the servers of which it is operated and the hosting provider of the e-mail or mail exchange software used by the controller for the receipt and processing of e-mails. In this context, both hosting providers act as processors within the meaning of Art. 4 No. 8 GDPR for the controller and have been accordingly placed under an obligation by the controller based on an order processing contract (OP contract) to set up and maintain technical and organisational measures (TOMs) suitable for the protection of your personal data.
Storage duration:
The processed data will only be stored by the controller for as long as is necessary to process and respond to your request. Subsequently, the data will be deleted by the controller, provided that the deletion does not conflict with any statutory retention obligations.
Note on your rights as a data subject:
You have the right to object to this processing at any time in accordance with Art. 21 GDPR, for reasons arising from your particular situation. Unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or for the establishment, exercise or defence of legal claims, the controller shall cease processing. However, this only applies in the event of processing by the controller on the basis of Art. 6 (1) (f) GDPR ("legitimate interest").
10. Registration and use of the user account
As part of the online platform, you have the option of creating a user-specific account (user account). With the user account, you can log into the password-protected area of the online platform and manage your account data there and, if necessary, use further functions (e.g. booking an online consultation with a service provider). Personal data on your weekly health check-ins is also stored within this context.
Processed data:
- First name, last name
- Address (for the shipment of medicines)
- Health-related data
- e-mail address
- IP address
- Date/time of registration
- Date of last visit
Purposes of processing:
The processing of the data provided by you in the context of the registration of the user is necessary so that the controller can set up a user account for you and thus give you access to its range of services.
Legal basis of processing:
The controller bases the lawfulness of this processing on Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR. Since data can also be requested as part of the registration of the user account, from which information about your state of health emerges, health data within the meaning of Art. 9 (1) GDPR is also processed in this context. Since health data thus belong to the special categories of personal data, processing is only permitted in exceptional cases specified by law. Therefore, the controller bases the processing on your express consent, which you give by actively ticking a checkbox provided for this purpose. If you voluntarily provide the controller with further data (e.g. age, gender), such data will be processed on the basis of Art. 6 (1) (f) GDPR ("legitimate interest") as part of your user account. The "legitimate interest" follows from the wish of the controller to adapt the range of services offered within the framework of the online platform to the needs of the users in the best possible way.
Recipients of the data:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider of the online platform on the servers of which it is operated. In this context, the hosting provider acts as a processor within the meaning of Art. 4 No. 8 GDPR for the controller and has been obliged by the controller accordingly on the basis of an order processing contract (German: AV contract) to set up and maintain technical and organisational measures (TOMs) suitable to the protection of your personal data.
Storage duration:
The data processed and stored within the scope of your user account will only be stored by the controller for as long as is necessary for the afore mentioned purposes of contract initiation and processing. Subsequently, the data will be deleted if there are no legitimate interests to the contrary. Retention obligations under commercial and tax law may require the controller to keep certain data (e.g. first name, last name, address, payment data) for a period of at least 10 years.
Note on your rights as a data subject:
You can revoke your consent once given in accordance with Art. 7 (3) GDPR at any time with future effect vis-à-vis the controller. The revocation of consent does not affect the lawfulness of the processing performed on the basis of the consent prior to revocation.
11. Disclosure of your data for contractual purposes
The core component of the services offered by the controller is the provision of professional and highly specialised medical, telemedical and pharmaceutical services relating to the care of chronically ill patients and, in particular, pain patients. In this context, the controller cooperates with medical and pharmaceutical service providers (doctors and pharmacies) to provide you with access to the corresponding services. Transfer of your personal data is necessary within the scope of mediation of these services. For this purpose, the data you provided as part of your user account will be summarized in an electronic file and, if necessary, made available to the respective service providers for inspection.
Processed data:
- First name, last name
- Address
- Health-related data
- e-mail address
Purposes of processing:
The transfer of your personal data is necessary so that the controller can provide you with the desired medical and/or pharmaceutical services and thus fulfil its contractually owed obligations under the mediation contract concluded with you.
Legal basis of processing:
The controller bases the lawfulness of this processing on Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR. Since your health-related data as a special category of personal data within the meaning of Art. 9 (1) GDPR are also affected in the context of the transfer of your personal data to the service providers involved, processing is only permitted in exceptional cases specified by law. Therefore, the controller bases its processing on your express consent, which you grant by actively ticking a checkbox provided for this purpose.
Recipients of the data:
The recipient of your personal data is the respective service provider to which your personal data are passed along. These are either medical service providers (doctors) and/or pharmaceutical service providers (pharmacies). Both doctors and pharmacists belong to the "group of persons subject to confidentiality" within the meaning of § 203 of the German Criminal Code (StGB). The transfer of your data takes place in the sense of a transmission of functions.
Storage duration:
The processed data stored within the scope of your user account will only be stored by the controller for as long as is necessary for the aforementioned purposes of contract initiation and processing. Subsequently, the data will be deleted unless there are legitimate interests to the contrary. Retention obligations under commercial and tax law may require the controller to keep certain data (e.g. first name, last name, address, payment data) for a period of at least 10 years.
Note on your rights as a data subject:
You can revoke your consent once given in accordance with Art. 7 (3) GDPR at any time with future effect vis-à-vis the controller. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to revocation.
12. Processing by the medical service provider
If the controller forwards your personal data to a medical service provider (doctor), the latter processes your data independently within the framework of the user file (e.g. to prepare for the consultation you have booked).
Processed data:
- First name, last name
- Address
- Health-related data
- e-mail address
Purposes of processing:
The processing of your personal data by the respective medical service provider is necessary so that the provider – in addition to the consultation – has a comprehensive information basis for its independent diagnosis and therapy decision.
Legal basis of processing:
The lawfulness of this processing is based on Art. 9 (2) (h) GDPR. Since the processing of your personal data by the medical service provider also affects your health-related data as a special category of personal data within the meaning of Art. 9 (1) GDPR, processing is only permitted in exceptional cases specified by law. The basis in lawfulness is the treatment contract concluded individually between you and the respective medical service provider within the meaning of § 630a BGB.
Storage duration:
The processed data stored within the scope of your user account will only be stored by the controller for as long as is necessary for the aforementioned purposes of contract initiation and processing. Subsequently, the data will be deleted unless there are legitimate interests to the contrary. Retention obligations under commercial and tax law may require the controller to keep certain data (e.g. first name, last name, address, payment data) for a period of at least 10 years.
13. Transfer for the purpose of receivables management
The controller reserves the right to pass on the information stored in the user account to a lawyer and/or external service providers in the event of non-payment.
Processed data:
- First name, last name
- Address
- Particulars of the outstanding claim
Purposes of processing:
The aforementioned data are passed on for the purposes of enforcing rights under law.
Legal basis of processing:
The controller bases the lawfulness of the processing on Art. 6 (1) (f) GDPR ("legitimate interest"). The "legitimate interest" of the controller follows from the securing and enforcement of outstanding claims.
Recipients of the data:
The recipient of your personal data is a law firm to be commissioned by the controller in individual cases, or a corresponding external service provider.
Storage duration:
The processed data will only be stored by the controller for as long as is necessary for the aforementioned purposes of receivables collection. Subsequently, the data will be deleted, in the absence of legitimate interests to the contrary. Retention obligations under commercial and tax law may require the controller to keep certain data (e.g. first name, last name, address, payment data) for a period of at least 10 years.
Note on your rights as a data subject:
You have the right to object to this processing at any time in accordance with Art. 21 GDPR, for reasons arising from your particular situation. Unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or for the establishment, exercise or defence of legal claims, the controller is required to cease processing these personal data.
14. Usage analysis using Google Analytics
Google Analytics is used as part of the online platform. This is a web analysis service provided by Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The web analysis service enables the controller to collect anonymized usage data using technically unnecessary cookies and to evaluate them statistically. For more information about Google Analytics, see https://analytics.google.com.
Processed data:
- Anonymised IP address
- Browser type/version
- Operating system of the device used
- Website from which the request comes (known as a “referrer URL”)
- Content of the request (specific page)
- Date and time of the request
- Time zone
- Access status/http status code
- Amount of data transferred
- Duration of the respective page view
The data collected in the context of the use of Google Analytics are anonymised and can no longer be assigned to you after anonymisation.
Purposes of processing:
Your anonymised data are processed so that the controller can adapt its range of services to the needs of the users.
Legal basis of processing:
The controller bases the lawfulness of the processing on Art. 6 (1) (a) GDPR. Since technically unnecessary cookies are used for the collection of usage data, the controller bases the processing on your express consent. You grant this by expressly agreeing to the use of the corresponding cookies when visiting the online platform.
Recipients of the data:
The recipient of your personal data within the meaning of Art. 4 No. 9 GDPR is the hosting provider on the servers of which Google Analytics is hosted. In this context, the hosting provider acts as a processor within the meaning of Art. 4 No. 8 GDPR for the controller and has been obliged by the controller accordingly on the basis of an order processing contract (German: AV contract) to set up and maintain technical and organisational measures (TOMs) suitable for use in protecting your personal data.
Storage duration:
The processed data will be stored by the controller until the revocation of your consent once given.
Note on your rights as a data subject:
You can revoke your consent once given in accordance with Art. 7 (3) GDPR at any time with future effect vis-à-vis the controller. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to revocation.
15. Integration of third-party content
Under certain circumstances, third-party content, such as videos or graphics, may be integrated into the online platform. The integration of this content requires that the providers of this (hereinafter referred to as "third-party providers") be able to view your IP address; otherwise, the content cannot be displayed within the framework of the browser you are using.
The controller endeavours to use only the content of such third-party providers who use your IP address exclusively for the purpose of content delivery. However, the controller has no influence on the fact that third-party providers process your IP address for other purposes, such as statistical evaluations. If the controller becomes aware of such an approach, you will be informed within the framework of these data protection provisions.
You have the option to prevent the processing of your data by downloading a browser add-in and installing it in the browser you are using to block Java scripts. You also have the option of deactivating the use of Java scripts in your browser settings.
16. Subscribing to the newsletter / e-mails for marketing purposes
If you wish, you can subscribe to the newsletter of the controller. The controller relies on the e-mail distribution service provided by SendGrid to manage your personal data as well as for the purposes of newsletter design and distribution. The service provider is Twilio Inc., 889 Winslow St, Redwood City, California, 94063 USA.
Part of SendGrid data processing activities takes place in the USA. In the case of SendGrid, data processing by or data transfers to recipients established in so-called third countries (outside of the EU) is based on so-called standard contractual clauses pursuant to Article 46(2) and (3) of the EU GDPR. Standard Contractual Clauses (SCC) are model contract clauses issued by the EU Commission to ensure that your data is processed in accordance with European data protection standards even if it is transferred to and stored in third countries (such as the US). Through these clauses, SendGrid commits itself to upholding data protection safeguards that are in line with European protection requirements when processing personal data in third countries.
You can access the privacy statement of SendGrid at https://www.twilio.com/legal/data-protection-addendum. For more information on the processing of data by SendGrid, please visit https://www.twilio.com/legal/privacy.
Processed data:
- E-mail address
- Opening and click-through rates
Purposes of processing:
The controller sends out newsletters to inform you about new offers and changes to the existing range of services as well as for reminder advertising.
Legal basis of processing:
The lawful basis the controller relies on for the processing of personal data is Art. 6 (1) (a) GDPR. Since the newsletters are also sent for marketing purposes, the controller relies on your explicit consent. You can give your consent by accepting the use of the corresponding cookies while visiting the online platform.
Recipients of the data:
The recipient of your personal data as defined in Article 4 (9) of the EU GDPR is SendGrid.
SendGrid will act as a processor on behalf of the controller in accordance with Article 4 (8) of the EU GDPR and has committed itself to implementing and upholding appropriate technical and organizational measures, which are governed by a data processing agreement established between the controller and the processor.
Storage duration:
The processed data will be kept by the controller until you revoke your consent once given.
Note on your rights as a data subject:
You can revoke your consent once given in accordance with Art. 7 (3) GDPR at any time with future effect vis-à-vis the controller. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to revocation.
17. Appointment management/ contacting users
To establish the contractual relationship and especially to manage appointments, the controller may use the personal information provided to contact you by phone or in writing (e.g., text messages, e-mails).
Processed data:
- First and last name
- Address
- E-mail address
- Phone number/ mobile phone number
Purposes of processing:
The controller uses your information to contact you to ensure that you can receive the services agreed in your contract, especially for activities such as managing your appointments.
Legal basis of processing:
The lawful basis the controller relies on for the processing of personal data is Art. 6 (1) (a) GDPR, as the processing of data is necessary for the controller to fulfill its contractual obligations.
Recipients of the data:
The recipient of your personal data as defined in Art. 4 (9) GDPR is the controller.
Storage duration:
The controller will keep the data processed and stored under your user account only for the time that is necessary to achieve the aforementioned purposes of establishing and managing the contract. Thereafter, your data will be deleted, providing that there are no legitimate interests to keep your data. In keeping with the mandatory retention periods enshrined in the applicable commercial and tax legislation, the controller may be required to keep certain types of data (e.g., first name, surname, address, payment data) for a period of at least 10 years.
18. Usage analysis with Hotjar
Our website relies on the web analytics services of Hotjar provided by the company Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta). This web analytics service allows the controller to collect anonymised usage data using technically non-essential cookies and conduct statistical analyses of this data. For more information, please visit the “About Hotjar” section on the Hotjar help page.
You can find more specific information about cookies on https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookies.
Processed data:
- IP address (collected and stored in an anonymised format)
- Screen size
- Device type (unique device identifier)
- Browser type
- Geographical location (country only)
- Preferred language used to display our website
- Pages visited (subpages)
- Date and time of visit to the subpages of our website (websites)
Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually bound to refrain from selling data collected on our behalf.
Purpose of processing:
Your data is processed in an anonymized format so that the controller can adjust its range of services to the needs of users.
Legal basis of processing:
The lawful basis the controller relies on for the processing of personal data is Art. 6 (1) (a) GDPR. Since the collection of usage data involves the use of technically non-essential cookies, the controller relies on your explicit consent. You can give your consent by accepting the use of the corresponding cookies while visiting the online platform.
Recipient of the data:
The recipient of your personal data as defined in Article 4 (9) of the GDPR is Hotjar.
Hotjar will act as a processor on behalf of the controller in accordance with Article 4 (8) of the GDPR and has committed itself to implementing and upholding appropriate technical and organizational measures, which are governed by a data processing agreement established between the controller and the processor.
Storage duration:
As part of its policy, Hotjar retains data for 365 days from the date of capture. This means that after 365, all data collected by Hotjar will be automatically deleted.
Note on your rights as a data subject:
You can revoke your consent once given in accordance with Art. 7 (3) GDPR at any time with future effect vis-à-vis the controller. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to revocation.
19. Usage analysis with Sentry
On our website, we use the error tracking tool provided by Sentry. The service provider is the US company Sentry Inc., San Francisco, 132 Hawthorne St, San Francisco, USA.
Part of Sentry’s data processing activities takes place in the USA. In the case of Sentry, data processing by or data transfers to recipients established in so-called third countries (outside of the EU) is based on so-called standard contractual clauses pursuant to Article 46 (2) and (3) of the GDPR. Standard Contractual Clauses (SCCs) are model contract clauses issued by the EU Commission to ensure that your data is processed in accordance with European data protection standards even if it is transferred to and stored in third countries (such as the US).
Through these clauses, Sentry commits itself to upholding data protection safeguards that are in line with European protection requirements when processing personal data in third countries.
You can access the privacy statement of Sentry at https://sentry.io/privacy/.
You can find the Data Processing Addendum, which corresponds to the Standard Contractual Clauses, at https://sentry.io/legal/dpa.