Data Protection Policy (App)

Disclaimer The English version is a translation of the original in German for information purposes only. In case of a discrepancy, the German original will prevail.

Version 2.0 – June 2023

lumetry is a medical app that is currently still under development and available for clinical studies and usability studies. Data is therefore currently being processed for the purpose of research and development. For clinical studies, an additional data protection declaration applies, which is part of the patient information.

We as Lumetry Diagnostics GmbH (hereinafter “we”, “us”) and provider of the app lumetry take the protection of your data seriously. We would like to point out that despite extensive security measures to protect your data, this cannot be guaranteed under certain circumstances. This is especially true in unsecured networks and if you make your smartphone available to third parties.

When using our app, you will receive the following services from us:

  • Taking a capnography measurement with a lumetry meter by breathing quietly through the device for one minute
  • Display of breathing and flow profiles
  • Calculation and display of key figures from the capnography measurement

Please note:
When using the app, health data is processed.

With the following data protection policy we inform you about the type, scope, purpose, duration and legal basis of the processing of your personal data in our app lumetry (hereinafter also “app”).

Our data protection policy is structured as follows:

  1. Information about us as controllers
  2. Information about our data protection officer
  3. Your rights (data subject rights)
  4. Processing of personal data when using our app
  5. Possible recipients
  6. purpose changes
  7. push notifications
  8. Processing in third countries
  9. Storage and deletion of your data
  10. data security
  11. From third parties tools used
  12. Change of the data protection information

1. Controller

In the following we inform you about the collection of personal data when using our app. Personal data is all data that can be related to you personally, e.g. B. name, address, e-mail addresses, user behavior.

Responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Lumetry Diagnostics GmbH
Nikolaiplatz 48020 Graz
Email: contact@lumetry.at

2. Data Protection Officer

Lumetry Diagnostics GmbH has appointed a certified data protection officer.

Name: Andreas Nagler- Ruhry
Email: datenschutz@lumetry.at

3. Your Rights (data subject rights)

You have the following rights towards us with regard to your personal data:

Right to access: You can request confirmation at any time as to whether data relating to you is being processed, information about the scope, origin, recipients of the stored data and the purpose for which it was stored, as well as copies of the data. (Art 15 GDPR)

Right to rectification: You can request that incorrect or incomplete personal data concerning you be corrected or completed. (Art 16 GDPR)

Right to erasure: You can request immediate deletion of your personal data at any time. Please note that legal retention periods may prevent deletion. (Art 17 GDPR)

Right to restrict processing: You can request that the processing of your personal data be restricted if one of the following conditions is met (Art 18 GDPR):

  • You contest the accuracy of the personal data (the restriction is for a period that enables us to verify the accuracy of the personal data).
  • The processing is unlawful and you refuse to delete your personal data.
  • The data is no longer required for the purposes of processing, but you need it to assert, exercise or defend legal claims.
  • You have lodged an objection to the processing (see right of objection) and the weighing of interests within the framework of the objection procedure has not yet been completed.

Right to data portability: You can receive the personal data that you have provided to us in a structured, common and machine-readable format, provided that the processing is carried out using automated procedures and is based on consent or a contract. (Art 20 GDPR)

Right to withdraw consent: You can withdraw your consent to the processing of personal data at any time. Please note that with the revocation, the use of the affected services is no longer possible. This does not affect the lawfulness of the processing of your personal data up until the point at which the revocation was received. (Art 7 GDPR)

Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Art 6 Para 1 lit f GDPR (data processing on the basis of a legitimate interest), to object. (Art 21 GDPR)

If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If we process personal data in order to operate direct advertising, you have the right to object to this at any time.

Right to complain: If you believe that the processing of your personal data violates data protection regulations, you can lodge a complaint with the supervisory authority responsible for Lumetry Diagnostics GmbH. (Art 77 GDPR)

Austrian Data Protection Authority
Wickenburggasse 8-10
1080 Vienna
Email: dsb@dsb.gv.at

4. Processing of personal data when using our app

Download the app
The lumetry app is available via distribution platforms operated by third parties, so-called app stores (Google Play and Apple App Store). Your download may require prior registration with the relevant app store and installation of the app store software. Lumetry Diagnostics GmbH has no influence on the collection, processing and use of personal data in connection with your registration and the provision of downloads in the respective app store and the app store software. In this respect, the sole responsible body is the operator of the respective app store. If necessary, please contact the respective app store provider directly for more information.

 

Granting Access Permissions
When you start using our mobile app, we ask you for permission to use it in a pop-up:

  • Internet access: To use the app, an active Internet connection is required to store, process and access your data on our cloud servers. The app can only be used in online mode.
  • Bluetooth: The app connects to the measuring device via Bluetooth. Appropriate access permissions are therefore required to carry out a measurement.
  • Location data: With Android smartphones, it is necessary to allow access to the location data in order to establish the Bluetooth connection. This data is not stored and processed by us.

You can revoke the permission later in the settings of the app or the operating system or grant the rights again if the app has been revoked.

If you allow access to this data, the lumetry app will only access and process your data to the extent necessary to provide the functionality of the app. Your data will be treated confidentially by us and will be deleted if you revoke the rights of use or if this data is no longer required to provide the services and there are no legal storage obligations. The legal basis is Art 9 Para 2 lit a GDPR.

 

Access to the lumetry meter
Your smartphone or tablet is connected to your lumetry measuring device via Bluetooth pairing so that the data collected can be processed in your app.

 

Creation of a user account (registration)
In order to use the functions of the app, it is necessary to create a user account. The registration takes place immediately after the first start of the app. The combination of email address and password, your Apple account or your Google account can be used as access data.

 

Login with email address and password
Access data:

  • email address and
  • password

If you use the email address and a password as access data, you will receive an email with a confirmation link during the registration process. The password is stored in the form of a so-called “hash value”. A hash value is a calculated value that is uniquely calculated for each password, but from which the password itself cannot be calculated (so-called “one-way function”). Therefore, we do not know your password and cannot recover it in case of loss. If you lose your password, you can reset it via the app or by sending us an email.

 

Sign in with Apple
Access data:

  • Apple ID (email address)

You can use your Apple ID to register in the lumetry app. Apple accounts for European users are provided by Apple Computer Limited, Hollyhill Industrial Estate, Cork, Ireland (“Apple Ireland”), a subsidiary of Apple Inc. located at One Apple Park Way, Cupertino, CA 95014, United States. Only if you have given your express consent in accordance with Art 6 Para 1 lit a DSGVO prior to the registration process based on a corresponding notice on data exchange with Apple, we will receive your Apple ID (email address) either in plain text or encrypted. We never receive your Apple password and cannot log into your Apple account.

 

Registration with Google
Access data:

  • Google Account (email address )

Alternatively, you can use your Google account to register in the lumetry app. Google accounts for European users are provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ireland”), a subsidiary of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 (“Google” ) . Only if you have given your express consent in accordance with Art 6 Para 1 lit a DSGVO prior to the registration process based on a corresponding notice on data exchange with Google, we will receive your Google email address. We never get your google password and we can’t log into your google account.

We only use the access data to authenticate you when you log in and to follow up on requests to reset your password. The data you enter during registration or registration will only be processed by us

  1. to verify your authorization to manage the user account;
  2. enforce the terms of use of the app and all associated rights and obligations and
  3. to contact you in order to be able to send you technical or legal notices, updates, security notifications or other messages, for example relating to the administration of the user account.

The legal basis is Art 9 Para 2 lit a GDPR.

Your personal access data will be stored until your personal account is deleted, and beyond that only for as long as processing is necessary to fulfill any contract.

Furthermore, user profile data is requested in the registration process:

  • Country
  • Year of birth
  • Size
  • Weight

This data is used by us to learn more about our users and to use this information when developing our app. They can be changed later in the app at any time. They are used by us to learn more about our users and to use this information when developing our app. The legal basis for processing the user profile data is your express consent in accordance with Art 9 Para 2 lit a GDPR.

 

Data processing when using the app
In order to make the functions of the app available to you, the necessary data about you must be collected and processed when using the app. We only collect the data that is necessary for the functionality of the app.

We collect and process the following personal data:

If you use our lumetry app, we collect the following personal data that is technically necessary for us to offer you the functions of our lumetry app and to ensure stability and security, provided you consent to this processing (legal basis is Art 9 Para 2 lit a GDPR):

 

Technical specifications:

  • Operating system version number of the end device
  • Version number of the app
  • Information about the meter (date and time of pairing, device number, etc.)

The technical data is technically necessary for us to offer you the functions of our lumetry app and to ensure stability and security. They are also saved for support purposes. The legal basis for processing is your express consent in accordance with Art 6 Para 1 lit a GDPR.

 

Measurement data (health data):

  • Date and Time
  • Raw data from device sensors (pCO2, flow, environmental conditions)
  • Calculated pCO2 and flow values
  • Various key figures, which are calculated from the measurement data
  • Additional information provided by the user about a measurement (comments, reference values, etc.)

The measurement data is saved and evaluated in order to calculate and display relevant parameters from the measurement as precisely as possible. The data collected are special categories of personal data, especially health data, as defined in Art 9 GDPR. Health data is any data relating to the physical and mental health of a natural person.

only collected and used by Lumetry Diagnostics GmbH if this is expressly permitted by law or if the user consents to the collection, processing, use and disclosure of the data.

The legal basis for processing the data or health data is your express consent in accordance with Art 6 Para 1 lit a GDPR and Art 9 Para 2 lit a GDPR.

You can withdraw your consent to the processing of the data categories described at any time without giving reasons by sending us an email. Withdrawing your consent results in an immediate deletion of your user account including your stored data.

 

Use of cookies
The app does not use cookies.

 

Data processing for advertising purposes
Your data will not be processed for advertising purposes.

 

Google Analytics for Firebase (application usage data)
Google Analytics for Firebase, a service provided by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) is used when using the app. The following (anonymized) usage data is processed and stored for a period of 14 months:

  • Based on anonymous information on the frequency of use, the general acceptance of the app is evaluated.
  • Anonymous information on session/dwell time is used to identify errors in the usability of the app and to optimize the app accordingly.
  • Anonymous screenflows or the processes involved in using the app help us to better understand the use cases and goals of the users.
  • Demographic data is used to better understand our target audience.

Within the studies, the usage data collected in this way is necessary to monitor the functionality of the app, to test the acceptance of different usability variants and to plan future app workflows and the product development.
The legal basis for this processing activity is your consent (Art 6 Para 1 lit a GDPR). It is currently (during the studies) not possible to use the lumetry app and at the same time refuse this processing.

You can find more information on data protection for the Google Firebase services at https://firebase.google.com/support/privacy .

 

Firebase Crashlytics
In order to improve the stability and reliability of our apps, we rely on anonymous crash reports. For this we use Firebase Crashlytics, a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland.

In the event of a crash, anonymous information is sent to the Google servers in the USA (status of the app at the time of the crash, installation UUID, crash trace, cell phone manufacturer and operating system, last log messages). This information does not contain any personal data.

Crash reports are only sent with your express consent. When using iOS apps, you can give consent in the app’s settings or after a crash. With Android apps, when setting up the mobile device, you have the option of generally agreeing to the transmission of crash notifications to Google and the app developer.

For more information on data protection, visit https://firebase.google.com/support/privacy .

 

Use of anonymized data to improve the service
In order to ensure continuous improvement of the pCO2 calculation, Lumetry Diagnostics GmbH reserves the right to anonymise and then evaluate your data.

 

Contact
When you contact us via email, your name and email address and, if applicable, other personal data provided by you will be stored by us. Providing the data is required to process and answer your request. We delete the data arising in this context after the storage is no longer necessary, or – in the case of statutory storage obligations – restrict the processing.

The legal basis for this processing is Art 6 Para 1 lit b GDPR.

We would like to point out that data transmission when communicating by e-mail can have security gaps. A complete protection of the data against access by third parties is not possible. Please take this into account in particular before you send us health data by e-mail.

5. Possible recipients

The following categories of recipients, which are usually processors, may have access to your personal data:

  • Service providers for the operation of our app and the processing of the data stored or transmitted by the systems for data center services. This is basically processing on our behalf. (” Order processing” )
  • State bodies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is Art 6 Para 1 lit c GDPR and Art 9 Para 2 lit g GDPR.

In addition, we only pass on your personal data to third parties if you have given your express consent to do so.

As part of the further development of our business, the structure of our company may change, in that the legal form is changed, subsidiaries, parts of companies or components are founded, bought or sold. In such transactions, customer information may be passed along with the part of the business to be transferred in what is known as “succession”. Whenever personal data is passed on to third parties to the extent described, we ensure that this is done in accordance with this data protection notice and the applicable data protection law.

6. Purpose changes

Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes before further processing and provide you with all other relevant information.

7. Push notifications

Push notifications are messages that are sent from the app to your device and are displayed there with priority. By default, this app uses push notifications for the use of the measurement reminder, provided you have consented when installing the app or when using it for the first time. The legal basis is Art 6 Para 1 lit a GDPR and Art 9 Para 2 lit a GDPR.

8. Processing in third countries

To provide our services within the scope of using the app, we also use service providers outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfill contractual and business obligations and is only carried out to the extent necessary.

If possible, we use servers located within the EU. However, it cannot be ruled out that data will also be transferred to the USA. This applies in particular to the access data you provide and the application usage data.

The European Commission has not issued any so-called adequacy decisions for the USA. We make sure that data protection is still sufficiently guaranteed. For this we use the standard contractual clauses of the European Commission and implement additional technical and organizational measures. The standard contractual clauses for third-country transfers can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

9. Storage and deletion of your data

We delete or anonymize your personal data as soon as it is no longer necessary for the purposes for which we collected or used it as explained in this data notice. As a rule, we store your personal data for the duration of the usage or contractual relationship via the app plus a period of one year, during which we keep backup copies (so-called “backups”) after deletion.

You have the option of initiating deletion in the app at any time. We would like to point out that after deletion, data can no longer be restored by us, so the data is always irreversibly deleted.

However, storage can take place beyond the specified time and also in the event of deletion initiated by you in the event of an (imminent) legal dispute with you or other legal proceedings.

Third parties used by us (so-called “processors”) will store your data on their system for as long as is necessary in connection with the provision of the service for us in accordance with the respective order.

Your data is preferably stored on servers in the EU. Access from a third country, including from state authorities in a third country, cannot be ruled out.

10. Data security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties, taking into account the state of the art, the implementation costs and the type, scope, circumstances and the purposes of the processing and the different probability of occurrence and severity of the risk for you or the effects of security incidents such as data breaches for you.

Our security measures are continuously developed in line with technological developments.

We will be happy to provide you with further information on this upon request. To do this, please contact our data protection officer.

11. Tools used by third parties

We use the cloud services of the Google Cloud Platform, Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland for the storage and processing of all data categories mentioned.

For hosting in the Google Cloud (Google Cloud Platform, GCP), Frankfurt (Germany, europe-west3) is used as storage location.

If you contact us by email, we store your email in the Microsoft 365 Exchange email service provided by Microsoft (Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399, USA) with a storage location in the EU.

12. Change of the data protection policy

As part of the further development of data protection law and technological or organizational changes, our data protection policy is regularly checked for any need for adjustment or supplementation. You will be informed of any changes.

This data protection notice is dated June 2023.