1. Who is the data controller?
The data controller is the person or entity that determines the purposes and means of processing personal data. The controller of your personal data is ABAStroke sp. z o.o., ul. Warszawska 3/3, 31-155 Krakow, Poland.
The Controller has appointed Michał Ryś as Data Protection Officer.
2. How can you contact us?
If you have any questions about how we use your personal data, you may contact us by email or in writing at the following addresses:
ABAStroke sp. z o.o., ul. Warszawska 3/3, 31-155 Krakow, Poland - marked: "data protection"
Email: contact@abastroke.com, michal@abastroke.com
3. What data do we process?
The scope of data processed includes, in particular:
- data necessary to authenticate the user, such as an activation code;
- technical and operational data, such as IP address, session identifiers and timestamps;
- data generated through use of the service.
The Controller processes special categories of personal data referred to in Article 9(1) GDPR on the basis of Article 9(2)(a) GDPR and with appropriate technical and organisational measures ensuring their protection, in accordance with Article 32 GDPR.
Processing is carried out in accordance with the principles of confidentiality, integrity and availability of data, and with security measures proportionate to the identified risk, including access control, operation logging and security incident management mechanisms.
4. For what purposes and on what legal basis do we process your data?
Personal data are processed to enable the use of the application and its functionalities, including in particular user authentication, session handling and providing access to system resources. The legal basis for this processing is Article 6(1)(b) GDPR, meaning that the processing is necessary for the performance of a contract for use of the application or to take steps prior to entering into such a contract.
Data may also be processed to ensure the proper operation and security of the application, including activity monitoring, abuse detection, maintaining system logs and managing security incidents. The legal basis for this processing is Article 6(1)(f) GDPR, meaning the Controller's legitimate interest in ensuring the security and integrity of the system and protection against abuse.
For user support requests and communication with the user, data are processed to respond to enquiries or resolve technical issues. The legal basis for processing is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, depending on the nature of the request.
The Controller also processes data to comply with legal obligations arising from applicable law, in particular in the area of personal data protection and information security. In such cases the legal basis for processing is Article 6(1)(c) GDPR.
Where health data are involved, being special categories of personal data within the meaning of Article 9(1) GDPR, the Controller states that the application does not provide medical services. Such data are processed only on the basis of the user's explicit consent, in accordance with Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. Providing medical data is voluntary and occurs only to the extent resulting from the functionality of the application.
5. Do you have to provide us with your data?
Providing data is voluntary, with the reservation that it is necessary for proper use of the application.
6. To whom may we disclose your data?
We do not disclose your data to other recipients, except where a legal obligation applies in a given EU country. A data processor or sub-processor within the meaning of Article 28 GDPR processes data only on the Controller's documented instructions and in accordance with a data processing agreement.
Diagnostic and error monitoring data may be processed using Sentry in order to ensure the security, stability and proper operation of the Application. Sentry is used to monitor application errors, analyse crashes and diagnose technical problems. You can learn more here: https://sentry.io/privacy/
On the German market, we may disclose your data to gematik GmbH. This institution manages the Telematikinfrastruktur (TI) and is necessary for the provision of our services and communication with you. You can learn more here: https://www.bkk-public.de/services/epa/epa-datenschutzhinweise
The Controller may also entrust the processing of personal data to other third parties providing services necessary to ensure the proper operation of the application and to achieve the purposes set out in this Policy, in particular hosting, maintenance, service, analytics, IT, technical support and ICT system security services.
7. What rights do you have?
You may contact us at any time if you have questions about your data protection rights or wish to exercise any of the following rights:
- Right to withdraw consent (Article 7(3) GDPR). You may contact us if you wish to withdraw consent previously given. You may withdraw your consent or consents to data processing in the application. Consent may be withdrawn in particular by using the relevant functionality available in the application for managing consents, or by contacting the Controller using the contact details provided.
- Right of access (Article 15 GDPR), for example if you want to know what data we store about you.
- Right to rectification (Article 16 GDPR), for example if your data have changed and should be corrected.
- Right to erasure (Article 17 GDPR), for example if you want us to delete specific data that we store about you.
- Right to restriction of processing (Article 18 GDPR).
- Right to data portability (Article 20 GDPR), for example to receive the data stored by us in a compressed format because you want to transfer them to another application.
- Right to object (Article 21 GDPR), where processing is based on the Controller's legitimate interest.
- Right to lodge a complaint with the competent supervisory authority (Article 77(1) GDPR). If you believe that the processing of your personal data infringes the law, in particular the GDPR, you may contact the BfDI to lodge a complaint.
If consent to the processing of health data is withdrawn, continued use of application functionalities requiring the processing of such data may be limited or impossible. The Controller will act on a request to withdraw consent without undue delay and no later than within the time limit required by law, and will ensure that the process for withdrawing consent is as easy as giving it. Withdrawal of consent results in the cessation of processing to the extent that processing was based on consent, unless further processing is permitted on another legal basis. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal and does not affect processing based on other legal grounds provided in Article 6(1) GDPR, in particular where processing is necessary for the performance of a contract, compliance with a legal obligation incumbent on the controller, or pursuit of the controller's legitimate interests.
If you no longer wish the data processing necessary for proper use of the application to continue, you may also object in the application and thereby permanently delete your user account and all associated data.
8. How long will we process your data?
Unless otherwise specified, we delete your data as soon as they are no longer needed.
Users' personal data are processed for no longer than 90 days from the date they are obtained, in accordance with the storage limitation principle set out in Article 5(1)(e) GDPR, unless further storage is required by law, in particular in connection with obligations under Article 6(1)(c) GDPR.
After that period, the data are permanently and irreversibly deleted or anonymised in a manner that prevents any further attribution to a specific person. Accordingly, after the indicated period the Controller no longer has the user's personal data and cannot restore them.
9. How do we protect your data?
To ensure data protection and security, we apply comprehensive security measures to ensure the confidentiality, integrity and availability of your personal data. We take into account the state of the art and applicable data protection laws. Your data are stored only in an encrypted storage area in the application. The integrity of that storage area is ensured by the operating system of your smartphone. Regular backups enable data restoration.
10. May data be processed in processes involving automated decision-making, including profiling?
We currently do not carry out any operations involving automated decision-making that produces legal effects for the data subjects or similarly significantly affects them.
11. May your personal data be transferred outside the European Economic Area (EEA)?
Personal data are not transferred outside the European Economic Area, except where expressly described in this information notice and subject to the safeguards required by the GDPR.