Version 3.06.2026

Privacy Policy for the ABAStroke Application - Germany

Back to Privacy Documents

1. Purpose of this document

The ABAStroke application is operated by ABAStroke sp. z o.o.

ABAStroke is a mobile application for home-based neurological rehabilitation for cognitive deficits after stroke. By combining Applied Behavior Analysis (ABA) methodology with machine learning (AI) algorithms, ABAStroke offers patients practically unlimited opportunities to perform exercises as part of independent, personalised and effective therapy.

This Privacy Policy explains how we process your data, that is, your personal data, when you use the ABAStroke application (the "Application"). It also explains how we protect your data, when the data are deleted and what rights you have under data protection law.

The Controller is not a healthcare provider within the meaning of applicable law and does not conduct medical activity.

The services provided through the Application do not constitute healthcare services. In particular, they do not include medical advice, diagnosis, treatment, or therapeutic decision-making.

All information made available in the service is for informational purposes only and must not be treated as a substitute for professional medical consultation. If you need medical advice or a diagnosis, please contact an appropriate specialist or healthcare provider.

2. Controller of personal data

Name and contact details of the data controller

The data controller for this Application is:

ABAStroke sp. z o.o., ul. Warszawska 3/3, 31-155 Krakow, Poland

Data Protection Officer

If you have questions about our data protection measures, data processing or the protection of the rights of data subjects, you may contact our Data Protection Officer at: michal@abastroke.com

3. Scope of personal data processed

The Controller processes personal data to the extent necessary to achieve the purposes of processing, in accordance with the data minimisation principle set out in Article 5(1)(c) GDPR and taking into account the information security requirements arising from ISO/IEC 27001.

Because the Application uses an authentication mechanism based on one-time activation codes, the Controller does not process standard user identification data. The Application is activated only by entering that code, followed by its automatic verification in the system.

The verification process is automated and is limited to checking the correctness and validity of the code, without the need to obtain or process additional user identification data.

As a result, the Application does not process other data that enable direct identification of the patient, such as first name, surname or residential address, and the scope of data processing remains limited to the minimum necessary to provide the service. The scope of data processed includes, in particular:

The Controller processes special categories of personal data referred to in Article 9(1) GDPR on the basis of Article 9(2)(a) GDPR and with appropriate technical and organisational measures ensuring their protection, in accordance with Article 32 GDPR.

Processing is carried out in accordance with the principles of confidentiality, integrity and availability of data, and with security measures proportionate to the identified risk, including access control, operation logging and security incident management mechanisms.

Users may optionally consent to the anonymisation of data for the further development of the Application, in order to ensure technical functionality and ease of use, including AI model training. This consent may be withdrawn at any time without giving reasons. We cooperate with recognised medical, scientific and research institutions in the further development of our Application. Data necessary for scientific purposes are transferred only in anonymised form so that researchers cannot draw conclusions about a specific user. Our common goal is further development so that our users receive the best possible support and guidance during therapy. The consent covers the following data:

4. Integration with an external system and activation code verification

The Controller informs you that the Application uses an integration with an external system of your health insurer.

Logging in to the Application is carried out only by entering an activation code, which is then automatically verified in the system. For this purpose, users must request an individual code from their health insurer. The verification process is automated and consists of checking the validity and correctness of the entered code in the external system.

As part of this process, the Application sends to the system only the data necessary to complete verification, in particular the activation code and technical information related to the request, such as a timestamp or data necessary to secure the communication. The system does not send to the Application data identifying the user, such as first name, surname or other data enabling direct identification of the patient.

Code verification in the system is a condition for obtaining access to the Application functionalities. If the code cannot be positively verified, the user will not obtain access to the system.

Data are transferred to the system only to the extent necessary to carry out the authentication process and on the basis of the Controller's legitimate interest in ensuring secure access to the Application and its proper functioning (Article 6(1)(f) GDPR). To the extent that data may be processed by the system as a separate controller or as a processor, responsibility for further processing is governed by separate arrangements between the parties.

The Controller ensures that the integration with the health insurer system has been designed to minimise the scope of transferred data and reduce the risk of unauthorised disclosure, in accordance with the data minimisation principle set out in Article 5(1)(c) GDPR.

5. Purposes and legal bases of data processing

The Controller processes users' personal data in accordance with the GDPR, only to the extent necessary to achieve specified purposes and on the basis of the appropriate legal bases set out in Article 6(1) and, for special categories of data, Article 9(2) GDPR.

Personal data are processed to enable the use of the Application and its functionalities, including in particular user authentication, session handling and access to system resources. The legal basis for this processing is Article 6(1)(b) GDPR, meaning that the processing is necessary for the performance of a contract for use of the Application or to take steps prior to entering into such a contract.

Data may also be processed to ensure the proper operation and security of the Application, including activity monitoring, abuse detection, maintaining system logs and managing security incidents. The legal basis for this processing is Article 6(1)(f) GDPR, meaning the Controller's legitimate interest in ensuring the security and integrity of the system and protection against abuse.

For user support requests and communication with the user, data are processed to respond to enquiries or resolve technical issues. The legal basis for processing is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, depending on the nature of the request.

The Controller also processes data to comply with legal obligations arising from applicable law, in particular in the area of personal data protection and information security. In such cases the legal basis for processing is Article 6(1)(c) GDPR.

Where health data are involved, being special categories of personal data within the meaning of Article 9(1) GDPR, the Controller states that the Application does not provide medical services. Such data are processed only on the basis of the user's explicit consent, in accordance with Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. Providing medical data is voluntary and occurs only to the extent resulting from the functionality of the Application.

The user has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before consent was withdrawn.

6. What rights do you have?

You may contact us at any time if you have questions about your data protection rights or wish to exercise any of the following rights:

If consent to the processing of health data is withdrawn, continued use of Application functionalities requiring the processing of such data may be limited or impossible.

The Controller will act on a request to withdraw consent without undue delay and no later than within the time limit required by law, and will ensure that the process for withdrawing consent is as easy as giving it.

Withdrawal of consent results in the cessation of processing to the extent that processing was based on consent, unless further processing is permitted on another legal basis.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal of consent does not affect processing based on other legal grounds provided in Article 6(1) of Regulation (EU) 2016/679 (GDPR), in particular where processing is necessary for the performance of a contract, compliance with a legal obligation incumbent on the controller, or pursuit of the controller's legitimate interests.

If you no longer wish the data processing necessary for proper use of the Application to continue, you may also object in the Application and thereby permanently delete your user account and all associated data.

The user has the right to request restriction of processing of personal data in the cases provided by law, in particular where:

During the period of restriction, data may only be stored or processed to the extent necessary for the establishment, exercise or defence of legal claims, or in other cases provided by law. Each restriction of processing is appropriately marked in the Controller's systems.

7. Erasure and data retention period

Unless otherwise specified, we delete your data as soon as they are no longer needed.

Users' personal data are processed for no longer than 90 days from the date they are obtained, in accordance with the storage limitation principle set out in Article 5(1)(e) GDPR, unless further storage is required by law, in particular in connection with obligations under Article 6(1)(c) GDPR.

After that period, the data are permanently and irreversibly deleted or anonymised in a manner that prevents any further attribution to a specific person. Accordingly, after the indicated period the Controller no longer has the user's personal data and cannot restore them.

The Controller informs you that it is not a healthcare provider and is not the controller of medical records. Your personal data, together with your therapy report, may be transferred to the electronic patient record (ePA) if you give such consent. Therapy data may be transferred to the ePA only if the user uses such a function or gives the required consent. The scope and frequency of data transfers depend on the available ePA function and the user's settings.

Upon effective transfer of the data, the ePA becomes a separate controller of personal data for the purposes of processing carried out by it. In such a case, any requests concerning personal data, including the exercise of rights referred to in Articles 15 to 22 GDPR, should be addressed directly to that entity.

Your user account data are automatically deleted after therapy ends. Alternatively, we will delete your data immediately upon your request made through the ABAStroke Application or otherwise.

You may, of course, request information about stored data at any time. Data protection enquiries and other legal matters may also be stored for a longer period within applicable statutory retention and limitation periods.

8. Deletion of the user account and user data

In accordance with BfArM's interpretation of DiGAV (Section 4(2)), the account together with all personal data is automatically deleted after the validity period (90 days) for DiGA users in Germany.

The user has the right to delete their account at any time, without giving reasons.

If a request to delete the account is submitted, the Controller will immediately take steps to delete it, together with the personal data assigned to it, in accordance with Article 17 GDPR (right to erasure, the so-called "right to be forgotten").

Deletion of the account results in the permanent and irreversible deletion of the user's personal data, subject to cases where further processing is required by law, in particular to comply with legal obligations or to establish, exercise or defend claims (Article 6(1)(c) and (f) GDPR).

Irrespective of the above, where data have been transferred to competent public authorities or other authorised entities, those entities become separate data controllers. In such a case, the exercise of rights related to further processing of data should be addressed directly to those entities.

9. Technical data

The technical data we collect inform us about the operating system and application version you use to access ABAStroke. The information below is collected automatically if you actively use the ABAStroke Application. Where legally permitted and technically feasible, we collect these data only after you have given active consent in the Application.

For security reasons, these data are transmitted over an encrypted connection. Your data are generally stored for as long as you have an active licence to use the Application, that is, 90 days. Alternatively, data are stored until you decide to delete individual data or the entire user account. The data are collected in order to enable you to use the Application as intended.

10. Application setup

Use of the Application requires setup by providing data. An activation code is required for setup.

The first activation of access to the Application is carried out by entering an activation code, which is verified in the system. After positive verification of the code, the Application may create a technical user account and link the active installation of the Application to the user's device.

When the Application is used later, access to the active installation may be protected by device-specific mechanisms such as device binding, system lock, device PIN or biometric authentication, if the user has enabled them and the device supports them. The Application offers the possibility of authentication, after informed consent has been obtained, using biometric authentication methods supported by your smartphone, such as fingerprint or Face ID. Responsibility for your biometric data lies with the relevant authentication service provider. We receive only the authentication result.

For security reasons, the collected data are transmitted over an encrypted connection. Your data are generally stored for as long as you have an active licence to use the ABAStroke Application, that is, 90 days. Alternatively, data are stored until you decide to delete individual data or the entire user account. The purpose of requesting the data is to create a user account, which is necessary for secure and proper use of the Application.

11. Push notifications

We have not currently implemented push notifications.

12. Functionality and user-friendliness

By consenting to the use of technical functions, you consent to our processing of the information provided in the Application in order to ensure its continuous technical functionality, user-friendliness and further development.

13. Third-party software

In order to ensure the proper, secure and stable operation of the Application, the Controller also uses software components originating from third parties, including open source components and other elements referred to as SOUP (Software of Unknown Provenance), that is, software that was not developed directly by the Controller but is used as part of the system.

These components are selected with due care and are subject to regular monitoring, validation and updating in accordance with the Controller's applicable software security management and risk management policy. The purpose of these activities is to reduce the risk of errors, security vulnerabilities and disruptions to the functioning of the Application.

If significant vulnerabilities, security incidents or changes in SOUP components are disclosed that may affect data security or the way the Application is used, the Controller may take appropriate technical and organisational measures, in particular:

If the nature of the event allows it and it is justified, users may be informed of significant changes through messages displayed in the Application.

To the extent required by law or resulting from the nature of the technologies used, the Controller may provide additional information about the components used, including information on open source licences and technical solutions. This information may be included in technical documentation, user documentation or provided upon justified request of authorised entities.

Use of the Application means acceptance of the fact that its operation may, to a limited extent, depend on external components over which the Controller does not have full control, while ensuring that appropriate organisational and technical measures are applied to protect data and minimise risk to users.

14. Recipients of personal data

In accordance with the above description and purposes, we disclose your data to the following recipients who are necessary for the provision of our services and communication with you:

In addition, the Controller may entrust the processing of personal data to third parties providing services necessary to ensure the proper functioning of the Application and to achieve the purposes set out in this Policy.

Processing is entrusted only on the basis of a written or electronic agreement concluded in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR), which obliges the processor to apply appropriate technical and organisational measures ensuring the protection of personal data and to process data only on the documented instructions of the Controller.

The Controller uses only processors that provide sufficient guarantees of implementing appropriate security measures compliant with GDPR requirements, industry standards and information security management principles. Such entities may process personal data only to the extent and for the period necessary to perform the entrusted services.

We currently do not carry out any operations involving automated decision-making that produces legal effects for data subjects or similarly significantly affects them.

Sentry - voluntary sharing of error report diagnostic data

Directly in the Application, you may give consent to "Share error reports". In order to ensure the security, stability and proper operation of the Application, the Controller may use Sentry, a tool provided by Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Sentry is used to monitor application errors, analyse crashes and diagnose technical problems.

The transfer of diagnostic data to Sentry is entirely voluntary and takes place only after the user's consent has been obtained by activating the "share application error report" function available in the Application settings.

If consent is not given, diagnostic data are not sent to Sentry. You may withdraw your consent at any time in the Application settings.

Scope of data processed

If consent is given, only limited technical data necessary to diagnose errors and improve the operation of the Application may be transferred to Sentry, in particular:

The Controller takes measures to exclude the transfer to Sentry of data enabling direct identification of the user (PII), such as first name and surname, email address, telephone number or the content of data entered by the user.

Processor

Sentry acts as a data processor or sub-processor within the meaning of Article 28 GDPR and processes data only on the Controller's documented instructions and in accordance with a data processing agreement.

Legal bases for processing

The legal basis for processing diagnostic data is:

Transfer of data outside the European Economic Area

Diagnostic data may be transferred outside the European Economic Area, in particular to the United States. Such transfer is carried out with the appropriate safeguards required by the GDPR, including standard contractual clauses approved by the European Commission.

More information about data processing by Sentry can be found in the provider's privacy policy: https://sentry.io/privacy/

15. Transfers outside the European Economic Area (EEA)

Personal data are not transferred outside the European Economic Area, except for diagnostic data processed through Sentry as described above and subject to the safeguards required by the GDPR.

16. Processing involving automated decision-making, including profiling

We currently do not carry out any operations involving automated decision-making that produces legal effects for data subjects or similarly significantly affects them.

17. How do we protect your data?

To ensure data protection and security, we apply comprehensive security measures to ensure the confidentiality, integrity and availability of your personal data. We take into account the state of the art and applicable data protection laws. Your data are stored only in an encrypted storage area in the Application. The integrity of that storage area is ensured by the operating system of your smartphone. Data are synchronised with our management system and database. Regular backups enable data restoration.

As part of its information security management system, the Controller has implemented and maintains procedures and safeguards compliant with the requirements of ISO/IEC 27001 (Information Security Management System). The Controller holds a certificate of conformity with ISO/IEC 27001, confirming the use of globally recognised standards in information protection, risk management and continuous improvement of safeguards.

The security measures used include, in particular, data access control, encryption, system monitoring, regular testing and assessment of the effectiveness of safeguards, security incident management and training of persons authorised to process personal data.

The Controller continuously analyses threats and takes measures aimed at minimising the risk of personal data breaches.

18. What can you do to keep your data secure?

To ensure the highest possible level of security for your data, you must take appropriate measures to protect the Application and the data transmitted through it. These include:

19. Changes to the Privacy Policy

The Controller reserves the right to amend or update this Privacy Policy at any time, in particular in the event of changes in law, technological development, implementation of new Application functionalities or changes in the way personal data are processed.

If material changes are made to the content of the Privacy Policy, including changes to its translations made available to users, the user will be informed of the new version of the document when first launching the Application after its publication. Until the user has read the current Privacy Policy and has given renewed consent by ticking the relevant checkbox, access to the Application functionalities may be limited or completely blocked.

The checkbox used to accept the updated Privacy Policy is unchecked by default, and the button enabling continued use of the Application remains inactive until the user gives consent.

The user may read the full current Privacy Policy through the "View Privacy Policy/Read more" function, which opens a dedicated window or panel containing the current version of the document.

Continued use of the Application after accepting the new version of the Privacy Policy confirms that the user has read its content and accepts the changes introduced. The Controller recommends regularly reviewing the current Privacy Policy in order to obtain up-to-date information on the rules for processing and protecting personal data.

20. How can you contact us?

If you have any questions about how we use your personal data, you may contact us by email or in writing at the following addresses:

ABAStroke sp. z o.o., ul. Warszawska 3/3, 31-155 Krakow, Poland - marked: "data protection"

Email: contact@abastroke.com, michal@abastroke.com