Kata®

Kata – Privacy Policy (EU)

In this privacy policy, you will find out which data is collected by us, VisionHealth GmbH, in connection with the operation of our app, as well as the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”). The current version of this Privacy Policy can be viewed on our website www.kata-inhalation.com and is available for download.

Responsible:
VisionHealth GmbH
Landsberger Straße 72
80339 München
Deutschland
Managing Directors: Dr. Sabine Häußermann, Philipp Kroneberg

E-mail: info@visionhealth.gmbh
Telefon: +49 89 6142 429 – 00

Contact information of the data protection officer:
PROLIANCE GmbH / datenschutzexperte.de
Data protection officer
Leopoldstr. 21
80802 München
E-Mail: datenschutzbeauftragter@datenschutzexperte.de

If you have any questions about our privacy policy, the processing of your data and the processing processes, please do not hesitate to contact us using the contact details above.

With the help of the Kata app, we show you in a simple and understandable way how to inhale correctly so that you release the necessary active ingredient into your lungs in the best possible way. The Kata app reports in text and images how successful your inhalation application was, documents your corresponding behavior and reminds you to inhale.

To make all this possible, we process the necessary data to provide you with the intended use of our app. If you do not wish to provide us with the necessary data, we will not be able to provide you with the services of the Kata app. Accordingly, we will ask you for your consent to data processing.

In this context, we also rely on the processing of your data for the purpose of improving our services and products. We will ask you separately for your consent for this.

Finally, in order to be able to help other people better, we process anonymized user data for scientific, research and statistical purposes.

Your data is processed exclusively for these purposes.

We only process your data insofar as this is possible for us in accordance with the applicable data protection regulations. Accordingly, we only process your data insofar as this is necessary to provide the services you have requested, you have consented to the processing or we are otherwise authorized to do so under data protection laws.

As a so-called digital health application (“DiGA”), the Kata app is not only subject to the data protection requirements of the General Data Protection Regulation (“GDPR”), but also to the specifications and additions of the Digital Health Applications Ordinance (“DiGAV”), insofar as the Kata app is used as a billable service vis-à-vis a health insurance company. Accordingly, we only process your data if this is permitted by both the GDPR and the DiGAV. For lawful data processing in accordance with Section 4 (2) DiGAV, it is regularly necessary for you to consent to the data processing. You will find the corresponding consent at the end of this declaration. You can view this consent at any time in the Kata app and revoke it if necessary.

4.1. User data provided by you

To protect your user data, our services can only be used with a user account. To create a user account, we require and process the following user data:

  • e-mail address
  • your password
  • Kata ID (assigned after registration)
  • Registration date
  • Status of the consents
  • When using the Kata app: device ID, manufacturer, device type, operating system version
  • Language, country, time zone
  • User name
  • Year of birth

The scope of the data collected by Kata depends on your registration and use of our product. We only process the user data that you actively and voluntarily provide to Kata. However, as described above, the input of requested user data is a prerequisite for the comprehensive use of our product.

This data processing is justified by the fact that it is necessary for the fulfillment of the contract between you and us so that you can use the Kata app at all (§ 4 para. 2 sentence 3 DiGAV in conjunction with Art. 6 para. 1 lit. b) GDPR). It is also possible to independently activate or deactivate the collection of certain data (e.g. access to camera or microphones) in the settings of our app and other software on your end device (e.g. operating system, other apps, app stores, etc.). If you have any questions, please contact us at UserSupport@Kata-Inhalation.com.

4.2. Necessary usage data

As part of your use of the Kata app, we collect certain data automatically, i.e. without any further information from you, which is required for the use of the Kata app (so-called usage data):

  • The installation of our app results in the collection of technical and device-related data such as the device ID.
  • Registration leads to the creation of your Kata ID using your e-mail address and password.
  • Communication from Kata to you within our app or via other electronic messaging services (e.g. e-mail, messenger, telephone), insofar as this is necessary to support or troubleshoot our products. This is how we process any comments and queries you may have with Kata via various communication channels. The most important example is our support service, which is available to you at UserSupport@Kata-Inhalation.com. Therefore, please pay attention to what information and data you wish to disclose in your active communication with us – this is entirely your decision. It may also be necessary for us to communicate with users, either by email or push notification. This is how we notify you about updates to our products, as well as important security information and assistance in connection with your use. Users receive this support communication – as an indispensable part of our products – regardless of whether they have subscribed to our newsletter.
  • In order to rectify errors in the app, we need crash reports, for example, from which we can see the circumstances of the problem in the event of support.

All of the aforementioned data processing is justified by the fact that it is necessary for the performance of the contract between you and us so that you can use the Kata app. The legal basis for this is § 4 para. 2 sentence 3 DiGAV in conjunction with Art. 6 para. 1 lit. b) GDPR.

4.3 Health data

Optionally, you can add health-related master data and usage data (so-called health data) to your user account. If you do not enter optional data, the functionality of our products that depends on it will be limited accordingly. For example, our diary app requires detailed (voluntary) information from you in order to enable optimal use.

The health-related master data includes your diagnosis and any information about your smoking behavior.

In addition, the key data of the end device you use and your usage behaviour are recorded, as the fulfilment of the contract primarily includes the personalization of our products, i.e. the preparation of individual user information, e.g. depending on your location (relevant for the search function, among other things), disease type or type of therapy (both relevant for the configuration of the user interface, for example).

Your health-related usage data includes information regarding medication and inhalation instructions (inhaler, number of applications, sprays per application, inhalation times), an inhalation protocol, use of an emergency spray, your condition, peak flow, oxygen saturation, pulse, asthma and a COPD control test.

This data processing is justified by the fact that, with regard to the purpose of providing the function, the processing is necessary for the fulfillment of the contract between you and us for the use of the Kata app (§ 4 para. 2 sentence 1 no. 1 DiGAV), is required for the proof of positive care effects in the context of a trial according to § 139e para. 4 SGB V (§ 4 para. 2 sentence 1 no. 2 DiGAV) or to provide evidence for agreements pursuant to Section 134 para. 1 sentence 3 SGB V (Section 4 para. 2 sentence 1 no. 3 DiGAV) or, with regard to app improvement or misuse, we have a legitimate interest in ensuring the functionality and error-free operation of the app and in being able to offer a service that is in line with the market and our interests (Section 4 para. 2 sentence 1 no. 4 DiGAV). The legal basis for this is the consent you have given for data processing in this regard.

4.4. Data processing for product improvement

If you give your separate consent, we will also process your user data beyond the necessary use described above to improve our services and products, as described below. A separate selection option is provided in our consent form for this purpose.

Due to the fast pace of technology, we must continuously analyze, develop, test and improve our products and their interaction to ensure that our content benefits users in the most effective way possible. To this end, we carry out usage and security tests, the findings of which are incorporated into improved new versions of our products such as the app. These improvements are also made available to you via regular updates.

This data processing is justified by the fact that it is necessary to permanently guarantee the technical functionality, user-friendliness and further development of the Kata app (Section 4 (2) sentence 1 no. 4 DiGAV). The legal basis for this is the consent you have given for data processing in this regard.

4.5. Processing for the enforcement of rights

Furthermore, the use of personal data may be necessary to prevent fraud by users or to assert, exercise or defend legal claims. We may be forced to disclose data due to mandatory laws, court or official decisions and orders, for criminal prosecution or for reasons of public interest. In such cases, the storage and processing of your data without consent is also permitted by law. The legal basis here is Section 4 (2) sentence 3 DiGAV in conjunction with Art. 9 (2) f GDPR.

5.1. Purpose and data security

We use your personal data exclusively for the purposes specified in this privacy policy and in the respective consents. In doing so, we ensure that any processing is limited to what is necessary for its purposes.

All processing is carried out in a manner that ensures appropriate security and confidentiality of your personal data. This includes protection against unauthorized and unlawful processing, as well as against accidental loss, destruction or damage through appropriate technical and organizational measures. To this end, we use strict internal procedures, security features and state-of-the-art encryption methods, all taking into account the state of the art and implementation costs.

5.2. Data processor

Kata passes on user data to processors exclusively within the scope of this data protection declaration and only to fulfill the purposes specified therein. Processors work according to our specifications and instructions and are not authorized to use personal data of our users for other, own purposes.

We use processors who offer sufficient guarantees that suitable technical and organizational measures are implemented in such a way that the processing of personal data is carried out in accordance with legal requirements and our privacy policy. The protection of our users’ rights is guaranteed by the conclusion of binding contracts that meet the high requirements of the GDPR.

The third-party providers commissioned by Kata may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations, including appropriate security measures, that we have imposed on our processor, we will prohibit the subcontractor from being commissioned.

We use the following data processors:

  • Exoscale (data hosting of the Kata App)
  • Noventi Healthcare GmbH (billing service provider for DiGA vis-à-vis the public payers in the healthcare sector)


5.3. Encryption, pseudo- and anonymization

Every data transmission is – without exception and by default – transport-encrypted. With HTTPS (hypertext transfer protocol secure), we ensure that your data is not intercepted by unauthorized third parties.

In addition, we use further procedures to encrypt and pseudonymize user data for the purpose of data security and minimization. Of course, this depends on the type, scope and purpose of the respective data processing and takes into account the state of the art. For example, all user data that is not required by a processor to fulfill its tasks is not disclosed.

After termination of the contractual relationship with the respective processor, the processor must return or delete all of our users’ data – at Kata’s discretion – provided that there are no statutory retention obligations.

Data whose processing does not require personal references (e.g. for research and analysis) is subject to anonymization. This means that a link to a specific user is always excluded.

5.4. Existence of automated decision-making

We do not use automated decision-making or profiling.

 

5.5 Storage and deletion

Your data is stored on your device and on our servers. We only use systems that meet the requirements of the GDPR. Our servers are located exclusively in Germany.

If you delete your Kata account with us, we will also automatically delete your personal data. We will also delete your data if it is no longer required for the purpose for which it was collected or if you have withdrawn your consent to the corresponding processing. To do so, please contact us at Info@VisionHealth.GmbH at any time. We will delete your data immediately, i.e. in this context taking into account a reasonable period of time to review the situation, which also includes a comprehensive inventory of your data. In exceptional cases, longer storage may be necessary in order to fulfill post-contractual obligations or statutory retention or information obligations, or to assert, exercise or defend legal claims (limitation periods).

5.6. Data privacy officer

Our external data protection officer is available to you in all data protection matters at datenschutzbeauftragter@datenschutzexperte.de. He monitors – independently and without instructions – compliance with all data protection regulations and is subject to strict statutory confidentiality and non-disclosure obligations.

The data protection officer is fully involved in all matters relating to the protection of our users’ personal data. As a trained expert, he continuously checks our processing operations and informs and advises the entire Kata team on an ongoing basis to ensure the best possible protection of your user data.

5.7. Changes

As technology and procedures on the Internet as well as data protection legislation are constantly evolving, we have to make adjustments from time to time. We will announce any adjustments in an appropriate manner and with a reasonable period of notice in advance and, if necessary, obtain new consents.

Unless otherwise provided for in this Privacy Policy, the same definitions apply as in our Terms of Use.

6.1. Revocation of consent

If we process your user data on the basis of your consent, you can withdraw your consent at any time without this affecting the lawfulness of processing prior to withdrawal. We will continue to provide our services insofar as they do not depend on the revoked consent. To exercise your right of withdrawal, you must inform us of your decision to withdraw your consent by means of a clear statement (e.g. a letter sent by post, fax or e-mail) to the above-mentioned contacts. If you make use of this option, we will immediately send you a confirmation of receipt of such a revocation (e.g. by e-mail).

If you withdraw your consent, the processing of your data up to that point remains lawful. After revocation, your personal data may continue to be processed insofar as this is legally permissible, e.g. for invoices or within the scope of statutory retention periods or in the event of legal disputes before courts or authorities.

6.2. Information, correction and restriction

Every user has the right to request information about the processing of their personal data. To do so, please contact us at Info@VisionHealth.GmbH at any time.

Your right to information includes information about the processing purposes, data and recipient categories, storage duration, any origin of your data, the existence of automated decision-making including profiling, as well as your rights under data protection regulations. You will find all of this information in this privacy policy and we will be happy to provide it to you in an electronic format on request.

If it turns out that some of your personal data is incorrect, you can request that your data be corrected or completed at any time – you can correct most of the data yourself within our app. For the duration of any review of your concerns, you also have the right to restrict data processing.

 

 

6.3. Deletion („Right to be forgotten“)

Every user has the right to request the deletion of their personal data. To do so, please contact us at any time at Info@VisionHealth.GmbH.

6.4. Data transferability

Finally, every user has the right to request that we transfer an overview of their personal data to another controller, insofar as this is technically feasible.

6.5. Complaints

If you believe that we are not adequately protecting your data protection rights, please contact us at Info@VisionHealth.GmbH at any time.

We will deal with your request immediately.

Otherwise, every user has the right to lodge a complaint with the supervisory authority responsible for Kata,

Contact Information:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Phone: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
E-Mail: poststelle@lda.bayern.de
Homepage: https://www.lda.bayern.de/de/kontakt.html

if they are of the opinion that the processing of their personal data violates data protection regulations. In addition, the right to lodge a complaint can also be asserted with a supervisory authority in the EU Member State of your place of residence, your place of work or the place of an alleged infringement.

Consent to the use of special personal health data

When you use the Kata app, the health data you transmit to us will be processed as part of the provision of our services to you. Health data is particularly sensitive personal data and is subject to special protection in accordance with Art. 9 GDPR and, in particular, may not be processed without your consent:

1. Consent to the processing of your data

You agree that we may process and use your personal data to provide our services and products and to create evaluations and recommendations on this basis. This personal data includes, in particular, the data stored by you in the app on your mobile device and the information about your health transmitted to us via your user account. You also agree that we may process and use your personal information for transmission to third parties, e.g. for processing to your doctor or, at your request, for forwarding to third parties selected by you.

This also includes that we may process this data for the purpose of proving the intended use of a digital health application, proving positive care effects in the context of a trial in accordance with Section 139e (4) of the Fifth Book of the German Social Code and providing evidence for agreements in accordance with Section 134 (1) sentence 3 of the Fifth Book of the German Social Code.

2. Consent for the purpose of improving the app and troubleshooting

You also agree that we may process your personal data for the purpose of permanently ensuring the technical functionality, user-friendliness and further development of the Kata app. Consent for the purpose of improving the app and troubleshooting is independent of any other consent you may have given.

3. Possibility to withdraw your consent

If we process your user data on the basis of your consent, you can withdraw your consent at any time without this affecting the lawfulness of processing prior to withdrawal. We will continue to provide our services insofar as they do not depend on the revoked consent. To exercise your right of withdrawal, you must inform us of your decision to withdraw your consent by means of a clear statement (e.g. a letter sent by post, fax or e-mail) to the above-mentioned contacts. If you make use of this option, we will immediately send you a confirmation of receipt of such a revocation (e.g. by e-mail).

If you withdraw your consent, the processing of your data up to that point remains lawful. After revocation, your personal data may continue to be processed insofar as this is legally permissible, e.g. for invoices or within the scope of statutory retention periods or in the event of legal disputes before courts or authorities.

THANK YOU FOR YOUR TRUST!