Privacy Policy iDIERS App by iDIERS GmbH

1.1 Responsible

The provider of this app and the responsible body within the meaning of data protection regulations is:

iDIERS GmbH

Christof-Ruthof-Weg 6

D-55252 Wiesbaden

This means that iDIERS GmbH decides on the purposes and means of processing app users’ personal data (“user data”) and is responsible for its security and compliance with applicable laws. As the responsible party, we are also subject to information obligations, which we aim to fulfill with this privacy policy.

1.2. Purpose

DICAM-iDIERS is software that provides physicians with information/options for creating a training plan for the prevention and alleviation of musculoskeletal pain based on their diagnosis.

The software is not intended to provide information that can be used to make decisions for diagnostic or therapeutic purposes; nor is it intended to control physiological processes.

The iDIERS app is software that provides patients with individualized training recommendations for the prevention and relief of musculoskeletal pain for autonomous use at home.

The app is not intended to provide information that can be used to make decisions for diagnostic or therapeutic purposes; nor is it intended to control physiological processes.

1.3 General Information

In developing and operating the app, iDIERS GmbH observes the principles of privacy by design and privacy by default. The same applies to the further development of our apps and the implementation of new legal requirements.

In general, we process your personal and personally identifiable data in accordance with the provisions of the European Union’s General Data Protection Regulation (GDPR). Under no circumstances will we use your personal data for advertising or marketing purposes without your consent or pass it on to third parties outside iDIERS GmbH.

2. Use of your data (purpose of processing)

The iDIERS app from iDIERS GmbH can generally be used without entering personal data. It only collects data for the purpose of documenting and optimizing the course of therapy, such as completed or uncompleted training units, any pain in the musculoskeletal system, and physical fitness (exertion level). All information is provided voluntarily. The iDIERS app does not send any data to iDIERS GmbH.

In connection with the use of the iDIERS app, data is collected for the following purposes:

• for the intended use of the digital health application by users

• where applicable, for the purpose of providing evidence in accordance with agreements pursuant to Section 134 (1) sentence 3 of the Fifth Book of the Social Code

Personal data such as name or date of birth are not evaluated during processing (within the meaning of Art. 4 (2) GDPR) in connection with the iDIERS app (so-called personally identifiable data). Processing includes:

Information via the QR code (provided by your doctor):

• Doctor ID

• Patient ID

• Voucher

• Prescription period

• Activity level

• Options

• Exercise ID

Data stored on the mobile phone:

• Videos, images, and instructions relating to the exercises

• Settings: email address, voucher expiration date, training level, etc.

• Your comments

Data stored on the iDIERS server:

• User

• Patient ID

• Email address (hash, anonymized, only for password loss)

• Password (hash, anonymized, only for password loss)

• Account creation date

• Vouchers

• Doctor ID

• Voucher code

• VoucherFriendlyCode

• Creation date

• Activation date

• Validity period

• Voucher ID

• Training courses

• Training ID

3. Storage location and data detection

The data entered during use is only stored and managed locally on your mobile device by the iDIERS app and therefore remains in your possession. To permanently delete all user data, you simply need to delete the iDIERS app from your mobile device.

When you delete the iDIERS app from your mobile device, your usage data is irretrievably lost, as this data is not stored on the iDIERS server. However, you have the option of exporting the data before deleting the app.

Note: If you use cloud-based backup functions of your device’s operating system (smartphones), your data may still be available in the backup storage even after deleting the app. Please refer to the operating instructions for the respective operating system.

You have the option of importing data from “Apple Health” and “Google Fit” into your iDIERS app. This imported data is also only stored locally on your mobile device.

We ensure that your personal data that is inaccurate for the purposes of processing is deleted or corrected without delay.

3.1 Deletion concept (excerpt)

When you uninstall the iDIERS app, all user data on your mobile device will be deleted. We have no influence on the uninstallation process of the operating system. We cannot guarantee that all data, including caches and temporary files, will be deleted.

If you do not inform iDIERS of the uninstallation of the app (standard case), all data on the iDIERS server will be deleted from the server by default after one year of non-use.

Your aforementioned personal data will only be stored on the iDIERS server for as long as it is absolutely necessary for the provision of the promised functionalities of the digital health application or for other purposes directly resulting from legal obligations. Once these purposes have been fulfilled – after one year of inactivity, i.e., without renewal of your exercises – the personal data will be deleted from the server.

The deletion is documented. It is possible to trace who deleted what and when. These logs are kept for three years.

The management of iDIERS GmbH is responsible for the deletion; a review is carried out by the data protection officer of IDIERS GmbH.

Upon your request or revocation of consent, all data in your user account on the iDIERS server will be deleted immediately.

Before the user account is deleted, you will be informed of any data that may be lost and of your right to data portability in accordance with Article 20 of Regulation (EU) 2016/679.

4. Security of processing

The iDIERS app has been developed in accordance with current security standards and extensively tested to ensure optimal protection of your data.

We would like to point out that data transmission over the Internet (e.g., when you send exported data by email) may be subject to security vulnerabilities. We try to protect your data from unauthorized access by third parties through precautions such as pseudonymization, data minimization, compliance with deletion periods, and taking into account the current state of the art. Despite these protective measures, unlawful processing by third parties cannot be completely ruled out.

It is ensured that the communication of the iDIERS app with other services is technically restricted to such an extent that no unwanted data communication involving the transmission of personal data can take place from within the iDIERS app.

We have taken security measures for the data stored on the iDIERS server, which, among other things, exclude the transfer of your data to a third country.

No personal data is passed on to third parties via the iDIERS app or iDIERS, unless this is directly necessary for the fulfillment of purposes in accordance with Section 4 (2) No. 1 or the fulfillment of legal requirements and is limited to these purposes. The following are exclusively involved in the processing of your data on the iDIERS server:

Hardware:

Hewlett Packard (service exclusively via LOGIN)

Qnap (service exclusively via LOGIN)

Software:

Microsoft Server 2019 (no data transfer to manufacturer)

VMWare (no data transfer to manufacturer, support/maintenance via LOGIN. Infrastructure software, no access to operating system data)

Veeam (no data transfer to manufacturer, support/maintenance via LOGIN, no access to operating system data)

Securepoint Antivirus

Service providers:

LOGIN SystemHaus GmbH

Hetzner Online GmbH (data center)

Securepoint GmbH (status messages AV, no transfer of personal data)

5. Your rights as a data subject

As a data subject, you have various rights under the General Data Protection Regulation (GDPR) that we would like to draw your attention to:

§ Right to information:

You have the right to obtain information about the personal data stored about you to the extent specified in Article 15 of Regulation (EU) 2016/679.

§ Right to erasure and rectification:

You have the right to have inaccurate personal data concerning you corrected and incomplete personal data concerning you completed.

To irretrievably delete all therapy-related data, you simply need to delete the iDIERS app from your mobile device. You can find information on how to do this in the operating instructions for your mobile device.

All personal data stored on the iDIERS server will be deleted immediately or processed only to a limited extent at your request.

We will notify all recipients to whom your personal data has been disclosed of any correction or deletion of personal data or restriction of processing in accordance with Article 16, Article 17(1) and Article 18 GDPR, unless this proves impossible or involves disproportionate effort. We will inform you of these recipients if you request this.

Right to object:

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. iDIERS will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

Right to data portability:

In accordance with Article 20 of the GDPR, you have the right to read your therapy data collected using the app in a structured, machine-readable format – for example, to continue using it with other software. The iDIERS app offers the option of exporting all therapy data or any subset thereof as a PDF or JSON file under the menu item “Export data”.

You also have the right to receive the personal data concerning you that is stored on the iDIERS server in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another controller without hindrance from iDIERS.

Right to lodge a complaint with the supervisory authority:

We are legally obliged to inform you that you have the right to lodge a complaint with the supervisory authority.

6. Tracking

We do not use tracking tools.

7. Availability of the privacy policy

You can access this privacy policy at any time in the iDIERS app under Info > Privacy Policy.

8. Your contact persons

Compliance with legal requirements and this policy is monitored by our data protection officer. The app administrators have been trained in the handling of personal data and are committed to complying with data protection regulations. If you have any questions about data protection, please contact our data protection officer:

Kivanc Semen

DataCo GmbH

Sandstraße 33

80335 Munich

Tel. 089 740 045 840

Email: datenschutz@dataguard.de

Website: www.dataguard.de

The competent supervisory authority is the external contact for data protection issues:

Bavarian State Office for Data Protection Supervision

Promenade 18

91522 Ansbach

Germany

Phone:

Fax: +49 (0) 981 180093-800

Email: poststelle@lda.bayern.de

As of: February 3, 2025