Privacy Policy NeuroNation MED
The NeuroNation MED medical device conforms to the requirements of the Medical Devices Act, the GDPR and the BDSG. In this data protection declaration, we describe the handling of your data. The data can be personal or health data. We always treat your data as strictly confidential.

Privacy Policy - Web

The website www.neuronation-med.de is a sales website for the NeuroNation MED app. Therefore, the privacy policy of the website is to be understood as an extension to the privacy policy of the app. Basically, the same general provisions apply.

A service provider relevant to the purposes under the following sections below is used solely for this website:
  • 4.3. Server log files
  • 4.9. Hosting and Content Delivery Networks (CDN)

The server provider for this website is Tilda Publishing Ltd, Pembroke House,
28-32 Pembroke Street Upper, Dublin, Ireland, D02 EK84.
You can find Tilda's privacy policy here:
https://tilda.cc/privacy

The provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
  • operating system used
  • Host name of the accessing computer
  • Time of server request
  • IP address
This data is not merged with other data sources.

The data of the users of the NeuroNation MED app are never processed by this service provider.

This data is recorded on the basis of Art. 6 Para. 1.lit. f. GDPR. The operator has a legitimate interest in the technically error-free presentation and optimization of his website - the server log files must be recorded for this purpose.
Cookies are only set if they are necessary for the technical operation or to ensure the security of the website.

Embedded content from other websites

Posts on this website may contain embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves exactly as if the visitor had visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking services and record your interaction with this embedded content, including your interaction with the embedded content if you have an account and are logged in to this website.

Privacy Policy - NeuroNation MED App

1. General

1.1. Introduction
The NeuroNation MED application is a mobile application of computer-based cognitive training based on playful exercises of various cognitive functions (Multi-Domain Cognitive Training). A wide range of customized tasks and progress control functions are available within the application for training these skills. The application is intended to relieve the symptoms of patients with mild or moderate cognitive disorders. The NeuroNation MED application is a class I medical device according to the Medical Devices Regulation 2017/45 and the Medical Devices Act.

We take the protection of your personal data very seriously and treat it confidentially and in accordance with the statutory data protection regulations and this data protection declaration.
This privacy policy applies to the NeuroNation MED iOS and Android apps (hereafter “APPLICATION”).
This document explains the type, purpose and scope of data collection as part of the use of our products.

The following notes provide a simple overview of what happens to your personal data when you visit or use our APPLICATION. Personal data is all data with which you can be personally identified. Detailed information on the subject of data protection can be found in our data protection declaration listed under this text. Health data is any data relating to an individual's physical or mental health, including the provision of health care services, that reveals information about their health condition.

We would like to point out that data transmission on the Internet can have security gaps. A complete protection of the data against access by third parties is not possible. Please also make sure that you alone have access to your end device and that you are using trustworthy networks. Security issues that might otherwise arise cannot be fully addressed by us.

1.2. Responsible body
Responsible body for data processing within the scope of this APPLICATION is:
Synaptikon GmbH
Friedrichstraße 68
10117 Berlin, Germany
E-Mail: info@neuronation-med.de

"Responsible body" is the body that collects and processes personal data (e.g. names, e-mail addresses, etc.). or uses.

1.3. Data Protection Officer
If you have any general questions about data protection, you can contact our data protection officer, Mike Peter, at the following E-Mail address:
E-Mail: dpo@neuronation.de

1.4. General storage period of personal data and health data
Subject to deviating or more specific information within this data protection declaration, the personal data collected by this APPLICATION will be stored until you request us to delete it (see 6. Deletion of data (deletion concept)), revoke your consent to storage or the purpose for data storage no longer applies. If there is a legal obligation to store or another legally recognized reason for storing the data (e.g. legitimate interest), the relevant personal data and health data will not be deleted before the respective reason for storage no longer applies.

1.5. Legal bases for the storage of personal data and health data
The processing of personal data and health data is only permitted if there is an effective legal basis for the processing of this data. If we process your data, this is done regularly on the basis of your consent in accordance with Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 , for the purpose of fulfilling a contract in accordance with Article 6 Paragraph 1 Letter b GDPR (e.g. when using activated functions of the APPLICATION) or based on legitimate interests in accordance with Article 6 Paragraph 1 Letter f GDPR, the always be weighed against your interests. The relevant legal bases may be specified in a separate place in this data protection declaration.

1.6. Encryption
This APPLICATION uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the operator, or communication between users. This encryption prevents the data you transmit from being read by unauthorized third parties.

1.7. Changes to this data protection declaration
We reserve the right to change this data protection declaration at any time in compliance with legal requirements.

2. You have the following data protection rights under the law:
2.1. Generally
The GDPR grants data subjects whose personal and health data we process certain rights, which we would like to inform you about at this point:

Right to information (Article 15 GDPR, Section 34 BDSG)
Right to erasure (Article 17 GDPR, Section 35 BDSG). )
Right to rectification (Article 16 GDPR, Section 34 BDSG)
Right to restriction of processing (Article 18 GDPR)
Right to notification and notification in the context of rectification, deletion or restriction to recipients (Article 19 GDPR)
Right to data portability (Article 20 GDPR )
Right to revoke consent (Article 7 (3) GDPR)
Right to object (Article 21 GDPR)
Right not to be subject to automated individual decision-making or profiling (Article 22 GDPR)

You can contact us at any time to assert your rights described here. Our contact details can be found under point 1 "Responsible body" or "Data protection officer". You also have the right to complain to the data protection supervisory authority responsible for us. In Berlin - our headquarters - this is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin. Alternatively, you can contact the data protection authority at your place of residence, which will then forward your request to the competent authority.

Data processing operations in the APPLICATION are only possible with your consent. We will expressly obtain your consent before starting data processing. You can revoke this consent at any time via the app settings or by E-Mail. An informal message to info@neuronation-med.de is sufficient. The legality of the data processing operations that took place up until the revocation remains unaffected by the revocation.

2.2. Information about your right of objection according to Art. 21 GDPR
You have the right, for reasons that arise from your particular situation, at any time against the processing of personal data and health data relating to you on the basis of Art. 6 Para. 1 Subparagraph 1 lit ) takes place to file an objection; this also applies to profiling based on this provision.
The respective legal bases on which processing is based can be found in this data protection declaration.
If you file an objection, we will no longer process your personal data and health data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.


2.3. Right to lodge a complaint with a supervisory authority
In the event of violations of the GDPR, the data subject has the right to lodge a complaint with a supervisory authority. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. A list of the supervisory authorities (for the non-public area) with addresses can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI).


2.4. Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us by E-Mail at any time. The right to restriction of processing exists in the following cases:
  • If you dispute the accuracy of your personal data stored by us, we usually need time to check this. For the duration of the examination, you have the right to request that the processing of your personal data be restricted.
  • If the processing of your personal data happened/is happening unlawfully, you can request the restriction of data processing instead of deletion.
  • If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request that the processing of your personal data be restricted instead of being deleted.
  • If you have lodged an objection in accordance with Art. 21 (1) GDPR, your interests and ours must be weighed up. As long as it is not clear whose interests prevail, you have the right to request that the processing of your personal data be restricted.
If you have restricted the processing of your personal data, this data - apart from its storage - may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State are processed.

2.5. Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another person responsible, this will only be done to the extent that it is technically feasible.

2.6. Information, deletion and correction
You have the right to free information about your stored personal data and health data, its origin and recipient and the purpose of the data processing as well as a right to correction or deletion of this data at any time. You can contact us by E-Mail at any time if you have any further questions on the subject of personal data and health data.

3. APPLICATION access rights
In order to provide our services through the APPLICATION, we require the access rights listed below, which allow us to access certain functions of your device.
  • WiFi connections
  • Receiving data from the Internet
  • network access
  • Battery saver (prevent device from going into "sleep mode")
  • vibration control
Access to the device functions is required to ensure the functionalities of the APPLICATION. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR, your consent within the meaning of Art. 6 Para. 1 lit. a GDPR and/or - if a contract has been concluded - the fulfillment of our contractual obligations (Art. 6 Para. 1 lit. b GDPR).
The data collected in this way is generally not stored for longer than is required to use the relevant functions, but no longer than 24 hours after the app has been uninstalled.

4. Collection and processing of personal data and health data as part of the use of the APPLICATION
Below we describe what personal data we collect, for what purposes we process it and on what legal basis we do this.

4.1. Downloading the app
You can download the app from the Google Play Store or the Apple App Store. When downloading apps from the Google Play Store or the Apple App Store, the information required for this is transmitted to Google Ireland Limited or Apple Distribution International in Ireland, i.e. in particular the user name, e-mail address and customer number of your Google or Apple accounts, time of download and unique device ID. We have no influence on this data collection and are not responsible for it.
Further information can be found in the respective data protection notices of Google (https://policies.google.com/privacy) and Apple (https://www.apple.com/legal/privacy/de-ww/).

4.2. General
If you use our APPLICATION, we collect the following personal and health data from you, depending on availability:
  • usage data
  • metadata
  • IP address
  • device identifier
  • E-mail address
  • time zone
  • Language
  • age group
  • Mobile IDs (IDFA, IDFV, Android ID etc.)
  • Results from questionnaires and evaluations
The processing of this personal data and health data is necessary to ensure the functionality of the APPLICATION. The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) GDPR, your consent within the meaning of Article 6(1)(1)(a) GDPR and/or - if a contract has been concluded – the fulfillment of our contractual obligations (Art. 6 Para. 1 lit. b GDPR).

4.3. Server log files
The server provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur. The data protection declaration of IONOS SE can be found here:
https://www.ionos.de/terms-gtc/terms-privacy
The server provider automatically collects and stores information in so-called server log files, which your browser or the APPLICATION automatically transmits to us. These are:
  • operating system used
  • Host name of the accessing computer
  • Time of server request
  • IP address
This data is not merged with other data sources.
This data is collected on the basis of Article 6 (1) (f) GDPR. The operator has a legitimate interest in the technically error-free presentation and optimization of its APPLICATION - the server log files must be recorded for this purpose.

In the case of our medical device version 1.2.2 or lower, the following service provider with data processing and encryption in Germany was previously used in the APPLICATION instead of IONOS SE:
AWS Europe (Amazon Web Services EMEA SARL), 38 avenue John F. Kennedy, L-1855 Luxembourg
The data protection declaration of AWS Europe can be found here:
https://aws.amazon.com/de/compliance/data-privacy
As of our medical product version 1.2.3, this service provider has been omitted.

4.4. Registration in the APPLICATION
You can register in our APPLICATION or create access. You need the following data for registration:
- Your e-mail address
- Your freely chosen password


After successful registration and confirmation of your e-mail address, you can log in using your e-mail address and your password. We process the aforementioned data so that you can use the APPLICATION and manage your profile.
For important changes, such as the scope of the offer or technically necessary changes, we use the e-mail address provided during registration to inform you in this way. The data collected during registration (email and password) will be stored by us as long as you are registered in this APPLICATION. Statutory retention periods and the deletion concept under Section 6.ff. stay untouched.

By completing the registration in the APPLICATION, you agree to the processing of personal and health data for the purpose of using the APPLICATION and for evidence purposes in accordance with Section 134 (1) sentence 3 SGB V.

4.5. Redeeming an Unlock Code
If you have a DiGA (“digital health application”) activation code from your health insurance company to activate the training functions of the APPLICATION, then the code will be verified by us with the health insurance company and used to bill the DiGA. This is done on the basis of the DiGAV (Digital Health Applications Ordinance) §4 (2) for verification of agreements § 134 paragraph 1 sentence 3 of the fifth book of the Social Code.

4.6. Use of the Content of the APPLICATION
When you use the content of the APPLICATION, we process data that is necessary for the provision of the training and training evaluation functions (e.g. age group, answers to questions about your progress, progress data in the exercises, consent to the training reminder, training settings).
The processing takes place on the basis of Art. 6 Para. 1b GDPR to fulfill a contract or to carry out pre-contractual measures as well as Art. 6 Para. 1f GDPR to protect our legitimate interests.


4.7. Requests via E-Mail
If you contact us by E-Mail you will always receive an initial response within 24 hours. Your request, including all resulting personal data (e.g. E-Mail address, request) will be stored and processed by us for the purpose of processing your request. This data is processed on the basis of Article 6 (1) (b) GDPR if your request is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 Para. 1 lit. a GDPR) and/or on our legitimate interests (Art. 6 Para. 1 lit. f GDPR), since we have a legitimate interest in the effective processing the inquiries addressed to us. The data you sent to us via contact request will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular statutory retention periods - remain unaffected. We do not pass on your data without your consent.

For data processing of e-mails we use the services of mailbox.org from Heinlein Support GmbH and Zammad from Zammad GmbH. These services enable the receipt, processing and sending of customer inquiries, as well as the evaluation of the inquiries and their processing.

The privacy policy of mailbox.org is located here:
https://mailbox.org/de/datenschutz

The privacy policy of Zammad is located here:
https://zammad.org/gdpr


4.8. Newsletter data
If you would like to receive the newsletter offered in our APPLICATION, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected. We use this data exclusively for sending the requested information and do not pass it on to third parties.

The newsletter is sent on the basis of your consent (Art. 6 Para. 1 lit. a GDPR) for the purpose of intended use, user-friendliness and further development of the APPLICATION in accordance with Section 4 Para. 2 DiGAV. You can revoke this consent at any time.
We use the following service providers to send the newsletter:
Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin

The data protection declaration of the service provider and its product mailbox.org can be found here: https://mailbox.org/de/datenschutz
We also use the following service providers in this context: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur.
The data protection declaration of IONOS SE can be found here: https://www.ionos.de/terms-gtc/terms-privacy

With our medical device version 1.2.2 or lower, the following service provider with data processing and encryption in Used in Germany:
AWS Europe (Amazon Web Services EMEA SARL), 38 Avenue John F. Kennedy, L-1855 Luxembourg
The AWS Europe Privacy Policy can be found here:
https://aws.amazon.com/de/compliance/data-privacy

From our medical device version 1.2.3 and the Apple App Store or Google Play Store app versions 1.2.28 or higher, we use the following service: Brevo (Sendinblue, a simplified joint-stock company registered with the Paris Trade and Companies Register under number 498 019 298 with its registered office at 106 boulevard Haussmann 75008 Paris (hereafter “Brevo“)).


The Brevo Privacy Policy can be found here:
https://www.brevo.com/legal/privacypolicy/

4.9. Hosting and Content Delivery Networks (CDN)
The web services associated with this APPLICATION are hosted by an external service provider (hoster). The personal data collected in this APPLICATION is stored on the host's servers.
The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 Para. 1 lit. b DSGVO) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 Para 1 lit. f GDPR).
Our hoster will only process your data to the extent that this is necessary to fulfill its performance obligations and will follow our instructions in relation to this data.
In order to ensure data protection-compliant processing, we have concluded an order processing contract with our hoster.

As a host we use IONOS SE
Elgendorfer Str. 57
56410 Montabaur
(IONOS).
The data protection declaration of IONOS SE can be found here:
https://www.ionos.de/terms-gtc/terms-privacy . Personal data is transmitted in encrypted form and stored in Germany.
With our medical device version 1.2.2 or lower, the following provider was previously used in the APPLICATION instead of IONOS SE:
AWS Europe (Amazon Web Services EMEA SARL), 38 avenue John F. Kennedy, L-1855 Luxembourg
You can find the data protection declaration of AWS Europe here:
https://aws.amazon.com/de/compliance/data-privacy

4.10. Processing of data within the framework of the Digital Health Applications Ordinance (DiGAV)
As described above, the DiGA activation code, which can be obtained as part of a prescription from a treating doctor, therapist or approval from your statutory health insurance company, can be entered in the APPLICATION. If you obtain the APPLICATION in this way, the Digital Health Applications Ordinance, or DiGAV for short, specifies and supplements the requirements of the General Data Protection Regulation (GDPR) and other data protection requirements for the manufacturer's company and for the DiGA itself. The personal data and Health data is only processed for the following purposes:
(1) for the intended use of the digital health application by the user,
(2) for the proof of positive supply effects in the context of a test according to § 139e paragraph 4 of the Fifth Book of the Social Code, (
3) for the proof of agreements according to § 134 paragraph 1 sentence 3 of the Fifth Book of the Social Code and
(4) for the permanent guarantee of the technical functionality, user-friendliness and further development of the digital health application.

The proof of agreements § 134 paragraph 1 sentence 3 of the fifth book of the Social Code serves primarily to settle accounts with your health insurance company. Your activation code will be recorded and processed for this purpose.
The permanent guarantee of the technical functionality, the user-friendliness and the further development of the DiGA includes the processing of your feedback to improve the app.
A prerequisite for lawful data processing according to Section 4 (2) DiGAV is that you consent to the data processing for the aforementioned purposes. The consent is given when registering in the APPLICATION and can be revoked as described above under point 2.



4.11. Data on the prescribing doctor and/or health insurance company
Depending on whether you have a prescription and an activation code, we process your data, which may also include health data, in two ways. You will be asked to provide information on the “Who prescribed you NeuroNation MED?” screen. The data processing described below may be combined, depending on the consent you have given us. In both cases, the information is optional, please skip if you do not want to provide this information.
4.11.1. Information on the health insurance company as part of the intended use of the NeuroNation MED app
In order to support you in being able to use the app fully as prescribed and correctly (this serves to ensure the app is used as intended), we will ask you for the name of the doctor that has prescribed NeuroNation MED to you. We do this because we want to ensure that you can use our DiGA as intended based on the following circumstances:
  • Your doctor has prescribed NeuroNation MED app for you, ie you have a valid prescription
  • You downloaded the app
  • You have set up a user account and registered
By clicking on the "Send" button, you also agree that we may inform you by e-mail how best to interact with your health insurance company regarding the activation of NeuroNation MED. Since the processing speed and route can vary depending on the health insurance company, we support you in getting an activation code as quickly as possible and being able to use the app as intended. Furthermore, by clicking on the "Send" button, you agree that NeuroNation MED may contact you by e-mail and telephone to offer to support you with the activation. The legal basis is your consent (Art. 9 Para. 2 a), 6 Para. 1 a) GDPR, §4, Para. 2, No. 1 DiGAV).




4.11.2. Improvement of user-friendliness: Information on health insurance company and doctor
In order to further develop our DiGA, we ask you for the prescribing doctor (first and last name, postcode, city) and the name of your health insurance company. We do this because we can use it to identify any process gaps when activating DiGAs that have already been prescribed and take targeted measures to continuously improve user-friendliness. The legal basis for this is your consent is (Art. 9 Para. 2 a), 6 Para. 1 a) GDPR, §4, Para. 2, No. 4 DiGAV).


5. Data Analysis

When you call up our APPLICATION, your usage behavior can be used to prove positive supply effects as part of a test in accordance with Section 139e Paragraph 4 SGB V, to provide evidence of agreements in accordance with Section 134 Paragraph 1 Clause 3 SGB V and to permanently guarantee the technical functionality, user-friendliness and further development of the DiGA can be statistically evaluated. When using external service providers (processors), we ensure through appropriate contracts with the service providers that the data processing complies with German and European data protection standards.

6. Deletion of data (deletion concept)
Your personal and health data will only be processed on the basis of your consent when registering for the APPLICATION.

You can revoke your consent at any time in the app settings. If you withdraw your consent, you will not be able to use the application. The consent remains legally valid until revoked.

In addition, within the framework of the right to erasure and the right to be forgotten, you have the option of requesting the erasure of your data. In addition to the Federal Data Protection Act and the General Data Protection Regulation as well as other laws (in particular the Fiscal Code (AO), the Commercial Code (HGB) and the Social Code (SGB)), Synaptikon GmbH has storage obligations for various types of data and documents. In principle, we only store all data for as long as is necessary to fulfill legal and contractual obligations. We will then delete the data immediately. Specific deletion periods can be found in the following sections.

6.1. Deletion of User Data
Synaptikon GmbH collects and processes certain user data. This concerns personal and health data in accordance with Art. 9 Para. 1 GDPR (e.g. e-mail address, results of questionnaires, IP address). To exercise your right to erasure and to be forgotten, simply log into the APPLICATION. You can then request the deletion of your account and your data in your profile. If you have requested deletion, all personal and health data that are not subject to a statutory retention obligation will be deleted without undue delay.

If you do not proactively request deletion of your data, then all personal data, including health data, will be deleted after your access expires. During registration, for your convenience, you can give an optional consent to access your data for a further 30 days after the expiration date in order to have time to enter a new activation code for your existing account. You can revoke this optional consent at any time via the app settings. Without a new activation code, your data will be deleted once this extended period has expired.

6.2. Deletion of billing data
For accounting reasons, billing data must be kept for up to ten years even after you have requested deletion. We are legally obliged to do this by the German Commercial Code, the Tax Code, the Money Laundering Act and the Medical Devices Act. In order to fully comply with your deletion request, we will also restrict and pseudonymise such data that are subject to legal storage obligations immediately after your request through technical precautions, so that it is then no longer possible to assign the data to your user profile. In this way, your pseudonymised data is only stored securely for legal storage purposes.

6.3. Delete App - Uninstall
Uninstalling our mobile application on your cell phone only deletes the application itself, but not the data stored up to this point. To delete your data, please proceed as described in Section 6.

Status: 19.07.2023