Privacy Policy

Privacy Notice (website) of Oncare

Welcome to our website and thank you for your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (EU GDPR) and the country-specific laws applicable to us. With the help of this privacy notice, we inform you comprehensively about the processing of your personal data by ONCARE GmbH (hereinafter referred to as “Oncare”) when using our website and the rights to which you are entitled.

Personal data is any information that makes it possible to identify a natural person. This includes, in particular, your name, date of birth, address, telephone number, email address and IP address. Data is considered anonymous if no personal reference to the individual/ user can be made.  

Responsible body and data protection officer

Postal address:  
Balanstrasse 71a
81541 Munich
E | service@myoncare.com

Contact info of the data protection officerprivacy@myoncare.com

Last updated on 25 April 2023.

Your rights as a data subjectWe would first like to inform you of your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR, and include:  

  • The right of access (Art. 15 GDPR),
  • The right to rectification (Art. GDPR),
  • The right to erasure / right to be forgotten (Art. 17 GDPR),
  • The right to restriction of data processing (Art. 18 GDPR),
  • The right to data portability (Art. 20 GDPR),
  • The right to object to data processing (Art. 21 GDPR).

To exercise these rights, please contact: privacy@myoncare.com. The same applies if you have any questions regarding data processing at our company or when you withdraw your consent. You also have the right of appeal to the relevant data protection supervisory authority.  

Right to objectPlease note the following with respect to your right to object:

When we process your personal data for the purpose of direct marketing, you have the right to object to this data processing at any time without providing the reasons for such objection. This also applies to profiling insofar as it is associated with direct marketing.

If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection is free of charge and can be made in any form, if possible to: privacy@myoncare.com

Should we process your data to protect legitimate interests, you may object to such processing at any time for reasons that arise from your specific situation; this also applies to profiling based on these provisions.

We will then cease to process your personal information unless we can demonstrate compelling legitimate grounds for processing such information that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.

Purposes and legal bases of data processingThe processing of your personal data complies with the provisions of the EU GDPR and all other applicable data protection regulations. Legal bases for data processing arise in particular from art. 6 GDPR.

We use your data to initiate business, to fulfil contractual and legal obligations, to conduct the contractual relationship, to offer products and services and to consolidate customer relationships, which may include marketing and direct marketing.

Your consent also constitutes permission to data processing under data privacy law. In this respect, we will inform you of the purposes of data processing and your right of objection. If the consent also relates to the processing of special categories of personal data, we will explicitly notify you in the consent process.
In many cases, service providers assist our specialist departments to fulfil their tasks. The necessary data protection contracts have been concluded with all service providers.  

Processing of special categories of personal data within the meaning of art. 9 (1) GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such data or you have given your consent to the processing of these data according to art. 9 (2) GDPR.

Google services may transfer data to countries outside the EU/EEA (third country data transfer), e.g. to the USA, as part of the processing for the aforementioned purposes. Countries outside the European Economic Area may not offer a level of data protection comparable to that in Europe. Such countries for which the Commission has not explicitly determined that they provide an adequate level of protection with respect to data privacy are referred to as “unsafe third countries.” There is an increased risk that government authorities may access this data. We have no influence on these processing activities.

Data transfers / Disclosure to third partiesWe will only transmit your data to third parties within the scope of given statutory provisions or based on consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).

Data recipients / categories of recipientsIn our organisation, we ensure that only individuals who are required to process the relevant data to fulfil their contractual and legal obligations are authorised to handle personal data.  

Transfers of personal data to third countries  A transfer of data to third countries (outside the European Union or the European Economic Area) shall only take place if required by law or if you have provided your consent for such a transfer.

We transfer your personal data to service providers or group companies outside the European Economic Area as follows: United States of America.

In such cases, compliance with the required level of data protection is ensured by EU standard contractual clauses, the binding corporate data protection regulations of the service provider according to the established data protection contracts.

Period of data storageWe store your data for as long as such is required for the relevant processing purposes. Please note that numerous retention statutory periods require that data must be stored for a specific period of time. This relates in particular to retention obligations for commercial or fiscal purposes (e.g. commercial code, tax code, etc.). The data will be routinely deleted after use unless a further period of retention is required.  
We may also retain data if you have given us your permission to do so, or in the event of any legal disputes and we use the evidence within the statutory limitation period, which may be up to 30 years; the standard limitation period is 3 years.

Secure transfer of dataWe implement the appropriate technical and organisational security measures to ensure the optimal protection of the data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.

The data exchange to and from our website is encrypted. We provide https as the transmission protocol for our website and always use the latest encryption protocols. When you use the contact form on our website to get in touch with us, the content is sent via https to a secure server of Site Ground, where the data of the form is stored in an encrypted database. Site Ground employees do not have direct access to this data.  It is also possible to use alternative communication channels.

Obligation to provide data

A range of personal data is required to establish, implement and terminate the obligation and the fulfilment of the relevant contractual and legal obligations. The same applies to the use of our website and the various functions we provide.

We have summarised the relevant details in the above point. In some cases, legal regulations require data to be collected or made available. Please note that it will not be possible to process your request or execute the underlying contractual obligation without this information.

Data categories, sources and origin of data

The data we process is defined by the relevant context: it depends on whether, for example, you enter a request on our contact form or if you want to send us an application or submit a complaint.

Please note that we may also provide information at specific points for specific processing situations separately where appropriate, e.g. when downloading our flyer or when making a contact request.

We collect and process the following data when you visit our website:

  • Your IP address which is immediately hashed by removing the last two digits
  • The URL and the title of the page you are viewing
  • The browser (name) you are using
  • Viewport or viewing pane (the size of the browser window)
  • Your screen resolution
  • Whether or not you have Java enabled
  • The language enabled in your browser

For reasons of technical security (in particular to safeguard against attempts to attack our web server), this data is stored in accordance with Article 6 (1) lit f GDPR. Anonymisation takes place immediately by abbreviating the IP address so that no reference is made to the user.

WordPress

Oncare uses the web design platform WordPress (WordPress, Org) to manage our website and the provider Site Ground (SiteGround Spain S.L.)  to host the website. For more details on the data processed by WordPress and Site Ground see sections ‘Data categories, sources and origin of data’ and ‘Secure transfer of data’ below and the privacy policy of WordPress and Site Ground.  

SendGrid

We use Sendgrid for sending emails. The provider is Sendgrid Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Sendgrid is a service with which the sending of emails can be organized. Sendgrid is used to send confirmation emails, transaction confirmations and emails with important information regarding existing requests. The data you enter for the purpose of receiving emails is stored on Sendgrid’s servers. When we send email on your behalf through SendGrid, we use an SSL secured connection.  

For the purpose of analysis, the e-mails sent with SendGrid contain a so-called “tracking pixel”, which connects to Sendgrid’s servers when the e-mail is opened. By this, it is possible to determine whether an email message has been opened.

Legal basis

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide us for the purpose of receiving emails will be stored by us until you unsubscribe from our services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe.

Please note that your data is usually transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in the EU exists.

SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/

Google Fonts

We use Google Fonts provided by Google Inc on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for the European area. We have embedded the Google fonts locally, on our web server – not on Google’s servers. This means that there is no connection to Google servers and therefore no data transfer or storage. This is an interactive directory of over 800 fonts that Google provides free of charge. To prevent any information transfer to Google servers, we have downloaded the fonts to our server. In this way, we act in a privacy compliant manner and do not send any data to Google Fonts.

Cookie Pro

This website uses the cookie consent tool “CookiePro” provided by OneTrust LLC, 1200 Abernathy Rd NE, Sandy Springs, GA 30328, USA (“OneTrust”) to obtain effective user consent for cookies and cookie-based applications. By integrating a corresponding JavaScript code, users are shown a banner when they access the page, in which consent can be given for certain cookies and/or cookie-based applications.  The tool blocks the setting of all cookies requiring consent until the respective user gives corresponding consent. This ensures that such cookies are only set on the respective end device of the user if consent has been granted. In order to be able to clearly assign page views to individual users and to individually record, log and store the consent settings made by the user for a session duration, certain user information (including the IP address) is collected by the cookie consent tool when our website is accessed, transmitted to OneTrust servers and stored there.  

This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website. Further legal basis for the described data processing is furthermore Art. 6 (1) p. 1 lit. c GDPR. We, as the controller, are subject to the obligation to make the use of technically unnecessary cookies dependent on the respective user consent.

SEOPress

We use SEOPress plugins on our website, a service provided by SEOPress SAS, 26 allée de Cantau, 64600 Anglet, France. The plugin handles the technical optimization of our websites for search engines and also assists with content development. You can prevent the storage of cookies by selecting the appropriate settings on your browser; we would like to point out that in this case you may not be able to use all functions of this website to their full extent. For more information please visit https://www.seopress.org/privacy-policy/. This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest.

Polylang Pro

We use Polylang for the multilingualism of our website. Polylang is a product provided by WP SYNTEX, 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. Polylang cookies are set solely to recognize and record the language used or selected by the user. These cookies are stored for one year and after that period deleted. For more information on data privacy compliance, please visit:   https://polylang.pro/privacy-policy/This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest.

We collect and process the following data as part of a contact request:

  • Name and salutation
  • E-mail address
  • Type of your request
  • Information on your interests and inquiries (your message)
  • Company / organization

We process the following data as part of a job application you send us:

  • Name and salutation
  • Contact details you provide to us
  • Information on your professional career (CV), qualifications and certificates
  • Information you provide during application interviews and our notes thereof
  • The position you applied for, your salary expectations, you expected entry date and in exceptional cases your piece of identification
  • Any other information you provide to us during the application process.

We collect and process the following data in the context of job applications:

  • Last name, first name (maybe also title)
  • Address
  • Contact details (telephone number, e-mail address)
  • If applicable, contact data in electronic communication solutions (e.g. Skye, MS Teams) that you submit to us
  • Qualification data (CV, professional qualifications, work experience)
  • In addition, we use data that we have permissibly obtained from publicly accessible directories (e.g. professional networks).

Thank you for your interest in working for Oncare GmbH. We are aware of the importance of your data and process the personal data you provide us only for the purpose of effective and correct processing and for contacting you as part of the job application process. The data will not be transferred to third parties without your consent.  

You will be asked to provide personal information. We observe the principle of data economy and data avoidance by only requiring you to provide us with tdata that we need to review your job application documents, such as your CV, or that we are legally obligated to collect. To protect the security and confidentiality of your data, we implement appropriate security measures. In addition, we recommend that you send us your application documents in “zipped” form (e.g. 7z or .zip) with password protection by e-mail. Afterwards, please give us the password by telephone. Alternatively, you can also send us your application documents by post mail. We store your data for the above-mentioned purposes until the application process has been completed and related deadlines have expired – at the latest six months after receipt of a decision.  

If your job application is unfortunately unsuccessful, your data will be deleted by us within six months of rejection. If your application is successful, your application documents will be included on the HR files and will only be deleted after you have left the company and statutory retention periods have expired.

We are supported by our service provider JOIN Solutions GmbH (hereinafter “Join”) in carrying out the application process. For this purpose, we use a widget of the provider JOIN, Schönhauser Allee 36, 10435 Berlin, Germany. If you apply to a job, your application data will be processed by Join on our behalf as instructed. We have concluded the required data protection agreement with Join for data processing on our behalf, in which Join is obligated to process the data in accordance with the principles of GDPR and  in accordance with our instructions.  

Join widget: We use a Join widget to display current job offers. Cookies are set by the Join widget. The legal basis for the processing is Art. 6 (1) p. 1 lit. a GDPR.

Contact form / Contact via email (Article 6 (1) p.1. lit a, b GDPR)

A contact form is available on our website which can be used to contact us electronically. If you write to us using the contact form, we will process the data you submitted in the contact form to respond to your queries and requests.

In so doing, we respect the principle of data minimisation and data avoidance, such that you only have to provide the information we require to contact you, which is your name, salutation, email address and the type of your request. Your IP address will also be processed (and hashed immediately) for technical reasons and for legal protection. All other data is voluntary, and additional fields are optional (e.g. to provide a more detailed response to your questions).

If you contact us by email, we will process the personal information provided in the email solely for the purpose of processing your request.

Automated decisions in individual cases

We do not use purely automated processing to make decisions.

Cookies

Our website uses “cookies” at various locations, which serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser (locally on your hard disk). Cookies enable us to analyse how users use our websites so we can design the website content in accordance with the visitor’s needs. Cookies also allow us to measure the effectiveness of a particular advertisement and, for example, to place it based on the user’s interests.

When you first visit our website, a pop-up (CookiePro) opens from which you can give your consent to the use of categories of cookies which are described below as well as in the CookiePro pop-up itself.

The following categories of cookies are used on our website:

  • Necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. These cookies include for example the ones used by CookiePro (OneTrust) to maintain cookies based on your consent. You can set your browser to block or alert you about these cookies, but some parts of the site will then not work. These cookies do not store any personally identifiable information.
  • Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
  • Targeting cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Most of the cookies we use are “session cookies”, which will be automatically deleted after your visit. Persistent cookies are automatically deleted from your computer when their validity period (maximum 14 months) has expired, or you delete them yourself prior to expiry.

In order to revoke your consent to the use of cookies (except for strictly necessary cookies which are always enabled), you can navigate to the footer of the website and deactivate categories of cookies in the CookiePro pop-up via the link ‘Cookies Settings’.

Furthermore, cookies are stored on the user’s computer which then transmits them to us. As a user, you therefore exercise full control over the use of cookies. You can change the settings in your Internet browser to disable or restrict the sending of cookies. In addition, cookies that have already been saved on your computer can be deleted at any time via an Internet browser or other software programs. All this is possible in all the current Internet browsers.

Please note: If you deactivate the placing of cookies on your device, you may not be able to access all our website functions in certain circumstances.

Web tracking (Article 6 (1) p. 1 lit a EU GDPR)Matomo

This is an open source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transfer any data to servers outside the control of ONCARE. Matomo is deactivated when you use our services. Only after you have actively allowed it, your user behaviour will be recorded anonymously. By deactivating, a “permanent cookie” will be stored, if your browser settings allow this. This cookie serves the purpose of signaling Matomo not to capture your browser.

The information on usage collected by the cookie is transferred to our servers and saved there so that we can analyse user behaviour.

The information generated by the cookie on how you use our services will not be passed on to third parties.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality. For more information visit: https://matomo.org/privacy-policy/.  

The processing of the users’ personal data enables us to analyse the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and its user-friendliness.

We process and store personal data only for as long as this is necessary for the fulfilment of the intended purpose.

Google Analytics

Based on your consent (art. 6 (1) lit a EU GDPR) we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the website by the user is usually transferred to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. The processed data can be used to create pseudonymous user profiles of the users.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google within member states of the European Union or in other states that are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google as described in section ‘Cookies’ above.

Further information on the use of data by Google, setting and objection options, can be found in the privacy policy of Google and in the settings for the display of advertising by Google.

The personal data of users will be deleted or made anonymous after 12 months.

Google Marketing Platform (Doubleclick before)  

On this website we use Google Marketing Platform (hereinafter Doubleclick), a Google service. Doubleclick is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We use Doubleclick to make your stay on our website as pleasant as possible by integrating Google Maps. Doubleclick uses cookies, in particular to provide tailored ads to you.  

You can be addressed again by Google with suitable advertising offers on pages of Google Network, as you have visited or used corresponding websites and offers before. The information generated by the cookie may be transferred to a Google server in the USA and stored there. Google may also use the IP address of your browser for the display of ads. No data transmission takes place without your previously declared consent (Art. 6 para. 1 p. 1 lit. a GDPR) on our cookie banner. You can revoke this at any time by the “Cookie Settings” in the footer of our website. You can also deactivate the use of cookies by Google. Please note that you will not be able to access Google services embedded on our website (Google Maps) without your consent or if you deactivate them.  

Doubleclick is a service of a third company (Google) that is independent of us and we cannot influence whose data processing procedures. Further information how Google handles the data it collects from you, as well as other Google privacy policies, are available at http://www.google.com/intl/de/policies/privacy/

Google Maps-Plugin

Our website uses Google Maps (Google LLC) plugins. The plugins are deactivated until you specifically activate it by clicking on the plugin or have given your consent via our

cookie banner (consent according to Art. 6 para. 1 p. 1 lit. a) GDPR). Google will store your IP address after activation.  It is usually transferred to a Google server in the USA and stored there.  

You can find more information on the handling of user data in Google’s privacy policy at https://www.google.de/intl/de/policies/privacyHowever, you use this platform and its functions on your own responsibility. We would also like to point out that your data may be processed outside the European Union.

YouTube-PluginOur website uses YouTube plugins, YouTube is operated by Google. The operator is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surf behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. For more information on the handling of user data, please see YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy

LinkedIn Insight TagOur website uses the conversion tool “LinkedIn Insight Tag” provided by LinkedIn Ireland Unlimited Company. The tool creates a cookie in your web browser that allows the collection of, among other things, the following data: IP address, device and browser properties, and page events (e.g. page views). LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). IP addresses are shortened or (if used to reach LinkedIn members across devices) pseudonymized. The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data are deleted within 180 days. The data collected by LinkedIn cannot be assigned to specific individuals by us. LinkedIn stores the personal data of the website visitors on its servers in the USA and uses it for its own advertising measures. You can find more detailed information on data protection at LinkedIn in the LinkedIn privacy notices.  

The use of LinkedIn Insight is based on Art. 6 para. 1 p. 1 lit. f GDPR.

Privacy policy / Notes on data protection in social mediaOncare GmbH maintains presences in the social medias, especially on Xing and LinkedIn. In case that we have control over the processing of your data, we will ensure that applicable data protection regulations. Below you find the most important information on data protection laws regarding our social media presences.

Name and address of the controllerThe following companies are responsible (as controller) for our social media presences, beside Oncare GmbH, according to the EU General Data Protection Regulation (GDPR) and other data protection provisions:  

  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
  • Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Deutschland)

However, you use these platforms and their functions on your own responsibility, especially the use of interactive functions (e.g. commenting, sharing, rating). We would also like to point out that your data may be processed outside the European Union.

Purposes and legal basisWe maintain the social media presences in order to communicate with users and to inform them about our products and services. Furthermore, we collect data for statistical purposes in order to develop and optimize our content and to design our products/services more attractive. The data required for this purpose (e.g. total number of page views, page activity and data provided by visitors, interactions) is processed by the social networks and made available to us. We have no influence on the generation and presentation.  

In addition, your personal data will be processed by the social media providers for market research and advertising purposes. It is possible that, for example, based on your usage behavior and your interests, usage profiles are created. With the consequence that ads are placed inside and outside platforms that match your interests. Cookies are usually stored on your computer for this purpose. Data that are not collected directly on your end devices may also be stored in your usage profiles. Storage and analysis also takes place across devices; this applies in particular, but not exclusively, if you are registered as a member and logged in your account.

We do not collect or process any further personal data.

The processing of your personal data by Oncare GmbH is based on our legitimate interests to get appropriate information and reach sufficient communication pursuant to Art. 6 (1) p. 1 lit. f. GDPR. If you are asked for consent to data processing, i.e. if you declare your consent by confirming a button or similar (opt-in), the legal basis of the processing is Art. 6 (1) p. 1 lit. a., Art. 7 GDPR.

Your rights / objection option

If you are a member of a social network and do not want the network to collect data about you by our presence and link it to your social media membership data with the respective network, you must

  • log out of the social network before visiting our social media site,
  • delete the cookies present on the device and
  • close and restart your browser.

After logging in again, however, you will once more be recognizable to the network as a specific user. For a detailed description of the processing and the possibilities to object (opt-out), we refer to the following information:

  • LinkedIn

Privacy Statement: https://www.linkedin.com/legal/privacy-policy

Opt-Out: https://www.linkedin.com/legal/cookie-policy and

http://www.youronlinechoices.com

  • Xing

Privacy Statement: https://privacy.xing.com/de/datenschutzerklaerung

Opt-Out: http://www.youronlinechoices.com.

You have the following rights regarding the processing of your personal data:

The right of access, right to rectification, right to erasure / right to be forgotten, right to restriction of data processing, right to data portability, right to object to data processing and  

the right to file a complaint about unlawful processing of your personal data with the competent data protection authority. As Oncare does not have full access to your personal data, you should contact the social media provider directly if you wish to assert your claim, because your provider has access to the personal data of the users and can take appropriate measures and provide information. If you still need help, we support you.  Please contact privacy@myoncare.com

Online offers for children

Persons under the age of 16 may not submit personal data to us or give a declaration of consent without the authorisation of their legal guardian. We encourage parents and guardians to actively participate in the online activities and interests of their children.

Links to other providers

Our website also contains clearly identifiable links to the Internet sites of other companies. Although we provide links to websites of other providers, we have no influence on their content, and no guarantee or liability can therefore be assumed for such. The content of these pages is always the responsibility of the respective provider or operator of the pages.

The linked pages were checked at the time of linking for potential legal violations and identifiable infringements. No illegal content was identified at the time of linking. However, a permanent content control of the linked pages is not reasonable without concrete evidence of an infringement and, upon notification of a violation of rights, such links will be promptly removed.

Privacy Notice (website) of Oncare
Welcome to our website and thank you for your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (EU GDPR) and the country-specific laws applicable to us. With the help of this privacy notice, we inform you comprehensively about the processing of your personal data by ONCARE GmbH (hereinafter referred to as “Oncare”) when using our website and the rights to which you are entitled.Personal data is any information that makes it possible to identify a natural person. This includes, in particular, your name, date of birth, address, telephone number, email address and IP address. Data is considered anonymous if no personal reference to the individual/ user can be made.  

Responsible body and data protection officer
Postal address:  
Balanstrasse 71a
81541 Munich
E | service@myoncare.com

Contact info of the data protection officerprivacy@myoncare.com
Last updated on 23 May 2024.

Your rights as a data subject
We would first like to inform you of your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR, and include:  The right of access (Art. 15 GDPR),The right to rectification (Art. GDPR),The right to erasure / right to be forgotten (Art. 17 GDPR),The right to restriction of data processing (Art. 18 GDPR),The right to data portability (Art. 20 GDPR),The right to object to data processing (Art. 21 GDPR).To exercise these rights, please contact: privacy@myoncare.com. The same applies if you have any questions regarding data processing at our company or when you withdraw your consent. You also have the right of appeal to the relevant data protection supervisory authority.  

Right to object
Please note the following with respect to your right to object:When we process your personal data for the purpose of direct marketing, you have the right to object to this data processing at any time without providing the reasons for such objection. This also applies to profiling insofar as it is associated with direct marketing.If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection is free of charge and can be made in any form, if possible to: privacy@myoncare.comShould we process your data to protect legitimate interests, you may object to such processing at any time for reasons that arise from your specific situation; this also applies to profiling based on these provisions.We will then cease to process your personal information unless we can demonstrate compelling legitimate grounds for processing such information that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.

Purposes and legal bases of data processing
The processing of your personal data complies with the provisions of the EU GDPR and all other applicable data protection regulations. Legal bases for data processing arise in particular from art. 6 GDPR.We use your data to initiate business, to fulfil contractual and legal obligations, to conduct the contractual relationship, to offer products and services and to consolidate customer relationships, which may include marketing and direct marketing.Your consent also constitutes permission to data processing under data privacy law. In this respect, we will inform you of the purposes of data processing and your right of objection. If the consent also relates to the processing of special categories of personal data, we will explicitly notify you in the consent process.
In many cases, service providers assist our specialist departments to fulfil their tasks. The necessary data protection contracts have been concluded with all service providers.  Processing of special categories of personal data within the meaning of art. 9 (1) GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such data or you have given your consent to the processing of these data according to art. 9 (2) GDPR.Google services may transfer data to countries outside the EU/EEA (third country data transfer), e.g. to the USA, as part of the processing for the aforementioned purposes. Countries outside the European Economic Area may not offer a level of data protection comparable to that in Europe. Such countries for which the Commission has not explicitly determined that they provide an adequate level of protection with respect to data privacy are referred to as “unsafe third countries.” There is an increased risk that government authorities may access this data. We have no influence on these processing activities.

Data transfers / Disclosure to third parties
We will only transmit your data to third parties within the scope of given statutory provisions or based on consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).

Data recipients / categories of recipients
In our organisation, we ensure that only individuals who are required to process the relevant data to fulfil their contractual and legal obligations are authorised to handle personal data.  

Transfers of personal data to third countries  
A transfer of data to third countries (outside the European Union or the European Economic Area) shall only take place if required by law or if you have provided your consent for such a transfer.We transfer your personal data to service providers or group companies outside the European Economic Area as follows: United States of America.In such cases, compliance with the required level of data protection is ensured by EU standard contractual clauses, the binding corporate data protection regulations of the service provider according to the established data protection contracts.

Period of data storage
We store your data for as long as such is required for the relevant processing purposes. Please note that numerous retention statutory periods require that data must be stored for a specific period of time. This relates in particular to retention obligations for commercial or fiscal purposes (e.g. commercial code, tax code, etc.). The data will be routinely deleted after use unless a further period of retention is required.  
We may also retain data if you have given us your permission to do so, or in the event of any legal disputes and we use the evidence within the statutory limitation period, which may be up to 30 years; the standard limitation period is 3 years.

Secure transfer of data
We implement the appropriate technical and organisational security measures to ensure the optimal protection of the data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.The data exchange to and from our website is encrypted. We provide https as the transmission protocol for our website and always use the latest encryption protocols. When you use the contact form on our website to get in touch with us, the content is sent via https to a secure server of Site Ground, where the data of the form is stored in an encrypted database. Site Ground employees do not have direct access to this data.  It is also possible to use alternative communication channels.

Obligation to provide data
A range of personal data is required to establish, implement and terminate the obligation and the fulfilment of the relevant contractual and legal obligations. The same applies to the use of our website and the various functions we provide.We have summarised the relevant details in the above point. In some cases, legal regulations require data to be collected or made available. Please note that it will not be possible to process your request or execute the underlying contractual obligation without this information.

Data categories, sources and origin of data
The data we process is defined by the relevant context: it depends on whether, for example, you enter a request on our contact form or if you want to send us an application or submit a complaint.Please note that we may also provide information at specific points for specific processing situations separately where appropriate, e.g. when downloading our flyer or when making a contact request.

We collect and process the following data when you visit our website:
Your IP address which is immediately hashed by removing the last two digits. The URL and the title of the page you are viewing. The browser (name) you are using Viewport or viewing pane (the size of the browser window)Your screen resolution. Whether or not you have Java enabled. The language enabled in your browser. For reasons of technical security (in particular to safeguard against attempts to attack our web server), this data is stored in accordance with Article 6 (1) lit f GDPR. Anonymisation takes place immediately by abbreviating the IP address so that no reference is made to the user.

Webflow
The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as Webflow). When you visit our website, Webflow collects various log files including your IP addresses. Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are required to display the page, to provide certain website functions and to ensure security (necessary cookies).

Details can be found in Webflow's privacy policy: https://webflow.com/legal/eu-privacy-policy.

Webflow is used on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art.6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://webflow.com/legal/eu-privacy-policy.

SendGrid
We use Sendgrid for sending emails. The provider is Sendgrid Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Sendgrid is a service with which the sending of emails can be organized. Sendgrid is used to send confirmation emails, transaction confirmations and emails with important information regarding existing requests. The data you enter for the purpose of receiving emails is stored on Sendgrid’s servers. When we send email on your behalf through SendGrid, we use an SSL secured connection.  For the purpose of analysis, the e-mails sent with SendGrid contain a so-called “tracking pixel”, which connects to Sendgrid’s servers when the e-mail is opened. By this, it is possible to determine whether an email message has been opened.

Legal basis
The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period
The data you provide us for the purpose of receiving emails will be stored by us until you unsubscribe from our services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe.Please note that your data is usually transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in the EU exists.SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/
Google Fonts
We use Google Fonts provided by Google Inc on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for the European area. We have embedded the Google fonts locally, on our web server – not on Google’s servers. This means that there is no connection to Google servers and therefore no data transfer or storage. This is an interactive directory of over 800 fonts that Google provides free of charge. To prevent any information transfer to Google servers, we have downloaded the fonts to our server. In this way, we act in a privacy compliant manner and do not send any data to Google Fonts.

Cookiebot
We use the consent management service Cookiebot, from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (Usercentrics). This enables us to obtain and manage the consent of website users for data processing. The processing is necessary to fulfill a legal obligation (Art. 7 para. 1 GDPR) to which we are subject (Art. 6 para. 1 sentence 1 lit. c GDPR). For this purpose, the following data is processed with the help of cookies.

Your IP address (the last three digits are set to '0'). Date and time of consent. Browser information URL from which the consent was sent. An anonymous, random and encrypted key Your consent status of the end user, as proof of consent

The key and consent status are stored in the browser for 12 months using the "CookieConsent" cookie. This retains your cookie preference for subsequent page requests. With the help of the key, your consent can be verified and tracked.

If you enable the "bulk consent" service feature to enable consent for multiple websites through a single end-user consent, the service will additionally store a separate, random, unique ID with your consent. If all of the following criteria are met, this key is stored in the third-party cookie "CookieConsentBulkTicket" in your browser in encrypted form: You activate the bulk consent function in the service configuration. You allow third-party cookies via browser settings. You have deactivated "Do not track" via the browser settings. You accept all or at least certain types of cookies when you give your consent.

The functionality of the website is not guaranteed without the processing.

Usercentrics is the recipient of your personal data and acts as a processor for us.

The processing takes place in the European Union. Further information on objection and removal options vis-à-vis Usercentrics can be found at: https://www.cookiebot.com/de/privacy-policy/

Your personal data will be deleted on an ongoing basis after 12 months or immediately after termination of the contract between us and Usercentrics.

Please note our general information on the deletion and deactivation of cookies above.

We collect and process the following data as part of a contact request:
-
Name and salutation
- E-mail address
- Type of your request
- Information on your interests and inquiries (your message)Company / organization

We process the following data as part of a job application you send us:
- Name and salutation
- Contact details you provide to us
- Information on your professional career (CV), qualifications and certificates
- Information you provide during application interviews and our notes thereof
- The position you applied for, your salary expectations, you expected entry date and in exceptional cases your piece of identification
- Any other information you provide to us during the application process.

We collect and process the following data in the context of job applications:
Last name, first name (maybe also title)AddressContact details (telephone number, e-mail address)If applicable, contact data in electronic communication solutions (e.g. Skye, MS Teams) that you submit to usQualification data (CV, professional qualifications, work experience)In addition, we use data that we have permissibly obtained from publicly accessible directories (e.g. professional networks).Thank you for your interest in working for Oncare GmbH. We are aware of the importance of your data and process the personal data you provide us only for the purpose of effective and correct processing and for contacting you as part of the job application process. The data will not be transferred to third parties without your consent.  You will be asked to provide personal information. We observe the principle of data economy and data avoidance by only requiring you to provide us with tdata that we need to review your job application documents, such as your CV, or that we are legally obligated to collect. To protect the security and confidentiality of your data, we implement appropriate security measures. In addition, we recommend that you send us your application documents in “zipped” form (e.g. 7z or .zip) with password protection by e-mail. Afterwards, please give us the password by telephone. Alternatively, you can also send us your application documents by post mail. We store your data for the above-mentioned purposes until the application process has been completed and related deadlines have expired – at the latest six months after receipt of a decision.  If your job application is unfortunately unsuccessful, your data will be deleted by us within six months of rejection. If your application is successful, your application documents will be included on the HR files and will only be deleted after you have left the company and statutory retention periods have expired.We are supported by our service provider JOIN Solutions GmbH (hereinafter “Join”) in carrying out the application process. For this purpose, we use a widget of the provider JOIN, Schönhauser Allee 36, 10435 Berlin, Germany. If you apply to a job, your application data will be processed by Join on our behalf as instructed. We have concluded the required data protection agreement with Join for data processing on our behalf, in which Join is obligated to process the data in accordance with the principles of GDPR and  in accordance with our instructions.  Join widget: We use a Join widget to display current job offers. Cookies are set by the Join widget. The legal basis for the processing is Art. 6 (1) p. 1 lit. a GDPR.

Contact form / Contact via email (Article 6 (1) p.1. lit a, b GDPR)
A contact form is available on our website which can be used to contact us electronically. If you write to us using the contact form, we will process the data you submitted in the contact form to respond to your queries and requests.In so doing, we respect the principle of data minimisation and data avoidance, such that you only have to provide the information we require to contact you, which is your name, salutation, email address and the type of your request. Your IP address will also be processed (and hashed immediately) for technical reasons and for legal protection. All other data is voluntary, and additional fields are optional (e.g. to provide a more detailed response to your questions).If you contact us by email, we will process the personal information provided in the email solely for the purpose of processing your request.

Calendly.com
On our website, we offer the option of (pre)booking appointments via the Calendly tool. By clicking on the "Book your free consultation now" button, you will be redirected to the website calendly.com of the company Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA (hereinafter referred to as "Calendly"). When making an appointment, it is generally necessary to provide personal data; please refer to the form to be completed to find out what this is. When booking an appointment via Calendly, your data entered on the Calendly website will be forwarded to us by Calendly and stored and processed by us in order to carry out the appointment. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR. With regard to the processing of your data by Calendly itself, we refer you to Calendly's privacy policy, available at: https://calendly.com/pages/privacy.

It cannot be ruled out that your data will be transferred to the USA and thus to an insecure third country. You can find more information on this here: https://calendly.com/pages/security. Calendly's terms of use, which we agreed to when we registered with Calendly, also contain the following data processing addendum: https://calendly.com/pages/dpa with which Calendly promises you additional protection with regard to data transfer to the USA in order to comply with the GDPR requirements. There is currently neither an EU adequacy decision nor any other suitable guarantees for the USA. The protection of your data cannot be guaranteed in the USA.

There is currently no level of data protection in the USA that is equivalent to that in the EU. Therefore, the transfer is associated with corresponding risks. In particular, there are no guarantees that your transferred data will not be accessed by government agencies. For example, it cannot be ruled out that US authorities may access your data on the basis of Section 702 of the Foreign Intelligence Surveillance Act (FISA for short) and/or on the basis of the so-called CLOUD Act (Clarifying Lawful Overseas Use of Data Act). In this context, we would like to expressly point out that, as an EU citizen, you have no effective legal protection against the processing of your data by US authorities. If you book an appointment via Calendly, you do so in full knowledge of these risks, which you thereby consciously accept.

Google reCAPTCHA
We use "Google reCAPTCHA" (hereinafter referred to as "reCAPTCHA") on our websites. It is also integrated as standard in Calendly. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The purpose of reCAPTCHA is to check whether the data input on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place. reCAPTCHA is only loaded after you have agreed to our essential cookies.

Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM.

Further information about Google reCAPTCHA and Google's privacy policy can be found at the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Automated decisions in individual cases
We do not use purely automated processing to make decisions.

Cookies
Our website uses “cookies” at various locations, which serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser (locally on your hard disk). Cookies enable us to analyse how users use our websites so we can design the website content in accordance with the visitor’s needs. Cookies also allow us to measure the effectiveness of a particular advertisement and, for example, to place it based on the user’s interests.When you first visit our website, a pop-up (CookiePro) opens from which you can give your consent to the use of categories of cookies which are described below as well as in the CookiePro pop-up itself.The following categories of cookies are used on our website:Necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. These cookies include for example the ones used by CookiePro (OneTrust) to maintain cookies based on your consent. You can set your browser to block or alert you about these cookies, but some parts of the site will then not work. These cookies do not store any personally identifiable information.Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.Targeting cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.Most of the cookies we use are “session cookies”, which will be automatically deleted after your visit. Persistent cookies are automatically deleted from your computer when their validity period (maximum 14 months) has expired, or you delete them yourself prior to expiry.In order to revoke your consent to the use of cookies (except for strictly necessary cookies which are always enabled), you can navigate to the footer of the website and deactivate categories of cookies in the CookiePro pop-up via the link ‘Cookies Settings’.Furthermore, cookies are stored on the user’s computer which then transmits them to us. As a user, you therefore exercise full control over the use of cookies. You can change the settings in your Internet browser to disable or restrict the sending of cookies. In addition, cookies that have already been saved on your computer can be deleted at any time via an Internet browser or other software programs. All this is possible in all the current Internet browsers.Please note: If you deactivate the placing of cookies on your device, you may not be able to access all our website functions in certain circumstances.

Web tracking (Article 6 (1) p. 1 lit a EU GDPR)

Google Analytics
Based on your consent (art. 6 (1) lit a EU GDPR) we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the website by the user is usually transferred to a Google server in the USA and stored there.Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. The processed data can be used to create pseudonymous user profiles of the users.We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google within member states of the European Union or in other states that are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google as described in section ‘Cookies’ above.Further information on the use of data by Google, setting and objection options, can be found in the privacy policy of Google and in the settings for the display of advertising by Google.The personal data of users will be deleted or made anonymous after 12 months.

YouTube-Plugin
Our website uses YouTube plugins, YouTube is operated by Google. The operator is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surf behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. For more information on the handling of user data, please see YouTube’s privacy policy at:https://www.google.de/intl/de/policies/privacy
Vimeo
We may have integrated videos from the provider Vimeo LLC, headquartered at 555 West 18th Street, New York, New York 10011. Some of our Internet pages contain videos from Vimeo. When you access such a page on our website, a connection to the Vimeo servers is established. This tells the Vimeo server which of our web pages you have visited. If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account. When you click on the start button of a video, this information can also be assigned to an existing user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding cookies from Vimeo. We use this service within our online offer on the basis of a legitimate interest - in the analysis, optimization and economic operation of our online offer. The legal basis is Art. 6 para. 1 lit. f.) GDPR.(4) Further information on data processing and information on data protection by Vimeo can be found at vimeo.com/privacy.(5) In addition, Vimeo calls up the Google Analytics tracker via an iFrame in which the video is called up. This is Vimeo's own tracking, to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some Internet browsers. Users can also prevent Google from collecting the data generated by Google Analytics and relating to their use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout

LinkedIn Insight Tag
Our website uses the conversion tool “LinkedIn Insight Tag” provided by LinkedIn Ireland Unlimited Company. The tool creates a cookie in your web browser that allows the collection of, among other things, the following data: IP address, device and browser properties, and page events (e.g. page views). LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). IP addresses are shortened or (if used to reach LinkedIn members across devices) pseudonymized. The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data are deleted within 180 days. The data collected by LinkedIn cannot be assigned to specific individuals by us. LinkedIn stores the personal data of the website visitors on its servers in the USA and uses it for its own advertising measures. You can find more detailed information on data protection at LinkedIn in the LinkedIn privacy notices.  The use of LinkedIn Insight is based on Art. 6 para. 1 p. 1 lit. f GDPR.

Privacy policy / Notes on data protection in social media
Oncare GmbH maintains presences in the social medias, especially on Xing and LinkedIn. In case that we have control over the processing of your data, we will ensure that applicable data protection regulations. Below you find the most important information on data protection laws regarding our social media presences.

Name and address of the controller
The following companies are responsible (as controller) for our social media presences, beside Oncare GmbH, according to the EU General Data Protection Regulation (GDPR) and other data protection provisions:  LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Deutschland)However, you use these platforms and their functions on your own responsibility, especially the use of interactive functions (e.g. commenting, sharing, rating). We would also like to point out that your data may be processed outside the European Union.

Purposes and legal basis
We maintain the social media presences in order to communicate with users and to inform them about our products and services. Furthermore, we collect data for statistical purposes in order to develop and optimize our content and to design our products/services more attractive. The data required for this purpose (e.g. total number of page views, page activity and data provided by visitors, interactions) is processed by the social networks and made available to us. We have no influence on the generation and presentation.  In addition, your personal data will be processed by the social media providers for market research and advertising purposes. It is possible that, for example, based on your usage behavior and your interests, usage profiles are created. With the consequence that ads are placed inside and outside platforms that match your interests. Cookies are usually stored on your computer for this purpose. Data that are not collected directly on your end devices may also be stored in your usage profiles. Storage and analysis also takes place across devices; this applies in particular, but not exclusively, if you are registered as a member and logged in your account.We do not collect or process any further personal data.The processing of your personal data by Oncare GmbH is based on our legitimate interests to get appropriate information and reach sufficient communication pursuant to Art. 6 (1) p. 1 lit. f. GDPR. If you are asked for consent to data processing, i.e. if you declare your consent by confirming a button or similar (opt-in), the legal basis of the processing is Art. 6 (1) p. 1 lit. a., Art. 7 GDPR.

Your rights / objection option
If you are a member of a social network and do not want the network to collect data about you by our presence and link it to your social media membership data with the respective network, you mustlog out of the social network before visiting our social media site,delete the cookies present on the device andclose and restart your browser.After logging in again, however, you will once more be recognizable to the network as a specific user. For a detailed description of the processing and the possibilities to object (opt-out), we refer to the following information:LinkedInPrivacy Statement: https://www.linkedin.com/legal/privacy-policyOpt-Out: https://www.linkedin.com/legal/cookie-policy andhttp://www.youronlinechoices.comYou have the following rights regarding the processing of your personal data:The right of access, right to rectification, right to erasure / right to be forgotten, right to restriction of data processing, right to data portability, right to object to data processing and  the right to file a complaint about unlawful processing of your personal data with the competent data protection authority. As Oncare does not have full access to your personal data, you should contact the social media provider directly if you wish to assert your claim, because your provider has access to the personal data of the users and can take appropriate measures and provide information. If you still need help, we support you.  Please contact privacy@myoncare.com
Online offers for children
Persons under the age of 16 may not submit personal data to us or give a declaration of consent without the authorisation of their legal guardian. We encourage parents and guardians to actively participate in the online activities and interests of their children.

Links to other providers
Our website also contains clearly identifiable links to the Internet sites of other companies. Although we provide links to websites of other providers, we have no influence on their content, and no guarantee or liability can therefore be assumed for such. The content of these pages is always the responsibility of the respective provider or operator of the pages.The linked pages were checked at the time of linking for potential legal violations and identifiable infringements. No illegal content was identified at the time of linking. However, a permanent content control of the linked pages is not reasonable without concrete evidence of an infringement and, upon notification of a violation of rights, such links will be promptly removed.

PRIVACY POLICY FOR EUROPE

Welcome to myoncare, the digital health portal for efficient and demand-oriented patient care.

For us at Oncare GmbH (hereinafter referred to as "ONCARE" or "we", "us", "our"), the protection of your privacy and your personal data processed during the use of the myoncare portal is of great importance. We are aware of the responsibility that arises from the provision and storage of your personal data in the myoncare portal. Therefore, our technology systems used for the myoncare services are set up to the highest standards and the lawful processing of the data is at the core of our ethical understanding as a company.

We process your personal data in accordance with the applicable legal provisions on the protection of personal data, in particular the EU General Data Protection Regulation ("GDPR") and the country-specific laws that apply to us. In this Privacy Policy, you will find out why and how ONCARE processes your personal data that we collect from you or that you provide to us when you decide to use the myoncare portal. In particular, you will find a description of the type of personal data we collect and process, as well as the purpose and basis on which we process the personal data; furthermore, you will find the rights to which you are entitled.

Please read the Privacy Policy carefully to ensure that you understand each provision. After reading the Privacy Policy, you will have the opportunity to consent to the Privacy Policy and consent to the processing of your personal data as described in the Privacy Policy. If you give your consent, the Privacy Policy becomes part of the contract between you and ONCARE.

In case of questions of interpretation or disputes, only the German version of the Privacy Policy shall be binding and authoritative.

DEFINITIONS

"App user" means any user of the myoncare App (your patient).

"Blockchain technology" The myoncare system contains an additional decentralized database in which the data of all installations is stored.

"Careplan provider" means you or any other service provider or third party (e.g. medical device manufacturer, pharmaceutical company) who makes Care Plans available to other Portal users via the myoncare Store or other means of data exchange.

"Careplan user" means you or any other service provider (Portal User) who uses a Care Plan ("Pathway") for the treatment of its registered Patients.

"Pathway" is a standardized treatment plan consisting of several scheduled care tasks, that can determine the steps for diagnoses and therapies. "Care tasks" are specific tasks or actions within a pathway that must be performed by the healthcare providers involved, the nursing staff or the patient themselves.

"healthcare provider" means you or any other physician, clinic, healthcare facility or other healthcare professional acting alone or on behalf of you or another physician, clinic or healthcare facility (intended User).

"myoncare app" refers to the mobile myoncare application for patients who wish to use the services offered by ONCARE via app.

"myoncare store" is the platform operated by ONCARE that provides digital care concepts (care plans) for the treatment of your registered patients via the myoncare portal.

"myoncare tools" means the myoncare app and the myoncare portal together.

"myoncare PWA app" means the myoncare Progressive Web App application for patients who wish to use the services offered by ONCARE via the PWA App and not via the myoncare app.

"myoncare portal" is the myoncare web portal intended for professional use by portal users and serves as an interface between portal users and patients as app users.

"myoncare services" means the services, functionalities and other offers that are or could be offered to portal users via the myoncare Portal and/or to App Users via the myoncare App.

"ONCARE" means ONCARE GmbH, Germany.

"Portal User" means you or any other service provider using the web-based myoncare Portal.

"Patient Privacy Policy" means the privacy policy that describes the collection, use and storage of the personal (health) information of patients using the myoncare App. According to the terms of use, our offer is only aimed at patients aged 18 and over. Accordingly, no personal data of children and adolescents under the age of 18 is stored and processed.

"Privacy Policy" means this statement provided to you as a user of the myoncare Portal, which describes how we collect, use and store your personal information and informs you of your broad rights.

"Terms of Use" means the terms of use for the use of the myoncare Portal.

PROCESSING OF (TREATMENT) DATA

Oncare GmbH, a company registered with the District Court of Munich under the registration number 219909 with its registered office at Balanstraße 71a, 81541 Munich, Germany, offers and operates the interactive web portal myoncare Portal (for healthcare professionals) and the mobile application myoncare App (for patients) as access to the myoncare services. This privacy policy applies to all personal data processed by ONCARE in connection with the use of the myoncare portal. For the use of the myoncare app by patients, you will find  a separate privacy policy for patients here.

WHAT IS PERSONAL DATA

"Personal data" means any information that allows a natural person to be identified. This includes but is not limited to your name, birthday, address, telephone number, email address and IP address.

"Health data" means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, from which information about his or her state of health precedes.

Data is to be considered "anonymous" if no personal connection to the person/user can be established.

In contrast, "pseudonymized" data is data from which a personal reference or personally identifiable information is replaced by one or more artificial identifiers or pseudonyms, but which can generally be re-identified by the identifier key. (within the meaning of Art. 4 No. 5 GDPR).

Myoncare PWA App

A progressive web app (PWA) is a website that looks and has the functionality of a mobile app. PWAs are built to take advantage of the native features of mobile devices without the need for an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing the benefits of native mobile apps into the browser. The PWA is based on the technology of "React Native for Web". "React Native for Web" is an open-source software for PWA applications.

To use the myoncare PWA app, patients need a computer or smartphone and an active internet connection. There is no need to download an app.

Some of the myoncare app services cannot be used within the myoncare PWA app, see the description below for details. These are the following services or specifications:

-Chat with healthcare providers;

-Video;

-Security PIN codes;

-Activity data tracking (e.g. via AppleHealth, GoogleFit, Withings).

The following information about the myoncare app also applies to the myoncare PWA app, unless otherwise described in this section.

WHAT PERSONAL DATA IS USED WHEN USING THE MYONCARE APP

We may process the following categories of data about you when using the myoncare app:

Operational data: Personal data that you provide to us when registering and logging in to our myoncare portal, when contacting us about issues with the portal or when otherwise interacting with us for the purpose of using the portal.

Treatment data: You collect personal data of your patients, such as name, age, height, weight, indication, symptoms of illness and other information in connection with the treatment of your patients (e.g. in a care plan) in the myoncare portal. Activity data of your connected patients is made available to you in your myoncare portal.

Commercial store data: Personal data that is processed by us in the case of using the myoncare store, either in the context of authorship of care plans or the purchase of care plans. The use of the myoncare store will require the processing of your name and other contact information as well as payment details (payment information only if the care plan is subject to a fee).

Activity data: Personal data that is processed by us when an app user connects the myoncare app to a health application (e.g. AppleHealth, GoogleFit, Withings). Activity data of your connected patients is made available to you in your myoncare portal.

Commercial and non-commercial research data: We process your personal data in anonymized/pseudonymized form to analyze and produce summary scientific reports in order to improve products, treatments and scientific results.

Product safety data: Personal data that is processed to comply with our legal obligations as the manufacturer of the myoncare app as a medical device. In addition, your personal information may be processed in case you report an incident to fulfill legal security or vigilance purposes of medical device or pharmaceutical companies.

Reimbursement data: Personal data required for the reimbursement process.

BLOCKCHAIN-TECHNOLOGY

Blockchain technology ("blockchain") (European Patent No. 4 002 787) is an optional service that is not mandatory. It is up to you, the service provider, to decide to use the blockchain solution. The blockchain is based on Hyperledger Fabric's technology.  Hyperledger Fabric is an open-source software for enterprise-level blockchain implementations. It offers a scalable and secure platform that supports blockchain projects.

The blockchain in the myoncare system is an additional database that stores data from the application. All blockchain data is stored in the Federal Republic of Germany. It is a private blockchain ("private blockchain"), it only allows the input of selected verified participants and it is possible to overwrite, edit or delete entries as needed.

Generally, the blockchain consists of digital data in a chain of packets called "blocks" that store the corresponding transactions. The way these blocks are connected to each other is chronological. The first block that is created is called the genesis block, and each block added after has a cryptographic hash related to the previous block, allowing transactions and changes of information to be traced back to the genesis block. All transactions within the blocks are validated and verified through a blockchain consensus mechanism to ensure that each transaction is unchanged.

Each block contains the list of transactions, a timestamp, its own hash, and the hash of the previous block. A hash is a function that converts digital data into an alphanumeric chain. In this case, the block can no longer be synchronized with the others. If an unauthorized person tries to change the data of a single block, the hash of the block would also change and the link to that block would be lost. If all nodes (network nodes) attempt to synchronize their copies, it is determined that the modified copy has been modified, and the network deems that node to be faulty. This technical process prevents unauthorized persons from manipulating the contents of the blockchain chain.

Our blockchain is a private blockchain. A private blockchain is decentralized. It is a so-called distributed ledger system (digital system for recording transactions), which functions as a closed database.  Unlike public blockchains, which are "unauthorized," private blockchains are „authorized" because authorization is required to become a user. In contrast to public blockchains, which are publicly accessible to everyone, access to private blockchains is dependent on authorization in order to become a user. This structure makes it possible to take advantage of the security and immutability of blockchain technology while being data protection compliant, and to comply with the regulations of the General Data Protection Regulation (GDPR). Private blockchain records can be edited, altered, or deleted; deletion in this context means that the reference value to the UUID (Universally unique identifier) in the database of the healthcare provider is deleted. In addition, the hash is anonymized in the blockchain database, with the result that this overall process is compliant with the General Data Protection Regulation and the rights of a data subject are guaranteed (right to erasure "right to be forgotten", Art. 17 GDPR).

Type of data stored and processed in the blockchain:

-Patients-UUID

-Institutions/Leistungserbinger UUID

-Asset-UUID

-Hash of caretask and asset data.

(UUID: Universal Unique Identifier).

The data stored in the blockchain is pseudo-anonymized.

Our blockchain is designed to ensure data privacy in terms of data integrity, patient profile, assets, and assigned care tasks and medications. To communicate with the blockchain, the user must register a series of public-private keys. To communicate with the blockchain, the user needs several public-private keys; the registration process generates certificates that are stored in a separate database of the healthcare provider and on the patient's mobile phone. A backup copy of the patient key is encrypted and stored in the healthcare provider's database, which can only be accessed by the patient.

When verifying consent to data protection, in the event that the healthcare provider wants to communicate with the Patient, the system checks whether the Patient has given consent to the Provider's Privacy Policy. The blockchain therefore serves to ensure the integrity and accountability of the record to ensure that the patient has accepted the privacy policy.

When a healthcare provider uploads a new version of a privacy policy, the hash of the file is stored on the blockchain, and after the patient agrees to the privacy policy, that interaction is stored on the blockchain. Every time it communicates with the patient, the blockchain responds by comparing the hash with a flag that indicates whether the patient's consent is still valid for the current privacy policy.

The integrity of the patient profile is also ensured by the blockchain in patient synchronization. The healthcare provider immediately detects if the patient profile is not synchronized or matches the profile on the mobile phone by comparing the hash of the patient profile in the blockchain. In this way, the healthcare provider achieves sufficient up-to-dateness with regard to the patient profile.

myoncare portal:

If the service provider decides to use the blockchain solution, ONCARE implements an additional tool, called "Adapter Service", which is used to communicate with the blockchain. The blockchain instance is hosted by ONCARE.

myoncare app:

Patients can connect to the same blockchain instance using the Phone Manager tool, which is also hosted by ONCARE. This service is also hosted by ONCARE.

Justification of processing: The processing of data by ONCARE on behalf of the service provider is carried out based on Art. 28 GDPR (order processing agreement).

OPERATIONAL DATA PROCESSING

In case you are a contact person for the operation of the portal at your location/practice (e.g. IT administrator, appointed healthcare professional), you may provide us with certain personal data when you contact us to understand or discuss the features and use of the portal, or in the event of a service request.

In the event of a service request, the following personal data can also be viewed by authorized ONCARE employees:

Your personal data that you have provided to us for registration and/or login to our portal (e.g. name, date of birth, profile picture, contact details).

Authorized ONCARE employees who may access your database for the purpose of processing a service request are contractually obligated to keep all personal information strictly confidential.

When processing operational data, ONCARE acts as a data controller responsible for the lawful processing of your personal data.

Types of Data: e-mail address, date of birth, date of registration, your IP address, pseudo-keys generated by the Portal.

The app uses Google Maps API to use geographic information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. You can find more detailed information about the scope, legal basis and purpose of data processing by Google as well as the storage period in the Google Privacy Policy.

Purpose of processing operational data: We use the operational data to maintain the functionalities of the myoncare portal and to contact you directly if necessary or on your initiative (e.g. in the event of changes to terms of use, necessary support, technical problems, etc.). Furthermore, personal data (e-mail address) is required and processed within the framework of two-factor authentication every time you log in to the myoncare portal.

Justification of processing: The processing of operational data is justified based on Art. 6 para. 1 lit. b GDPR for the performance of the contract that you conclude with ONCARE for the purpose of using the myoncare portal.

IP GEOLOCATION

We use a geolocation application for our services. We use ipapi (provided by apilayer Data Products GmbH, Elisabethstraße 15/5, 1010 Vienna, Austria) and Geoapify (provided by Keptago Ltd., N. Nikolaidi and T. Kolokotroni ONISIFOROU CENTER 8011 Paphos, Cyprus) to identify the location of patient users. We use it to secure our applications and to verify the location of the patient user to ensure that the use of our services is compliant. We do not combine the information we collect with any other information about the user that could identify them. The data processed by apilayer includes the patient's IP address and other details about the location. The legal basis for the use is Art. 6 para. 1 lit. f GDPR. The data will be deleted when the associated purpose for which it was collected no longer exists and there is no longer a legal obligation to store it. For more information on their privacy policy, please see https://ipapi.com/privacy/ and Privacy Policy | Geoapify location platform.

PROCESSING OF TREATMENT DATA

While using the myoncare portal, you enter personal (health) data of your patients into the myoncare portal (e.g. provision of an individual care plan, reminder to take medication, etc.). In addition, you and your patients can upload documents and files to the myoncare portal and share them with each other. In addition, location functions can be generated and implemented:

·       Adding a location;

·       Uploading the logo of the site;

·       Adding the details of the location;

·       Upload a privacy policy;

It is possible to create further consent requirements for the patient, for which the patient must give consent in order to connect to the website.

An uploaded privacy policy will be displayed to every patient who connects to the website. All declarations of consent must be documented in the uploaded privacy policy. Once a privacy policy has been uploaded, it can only be replaced by a new version but cannot be deleted.

The files are stored in a cloud database in Germany. You can allow the sharing of such files with other portal users within your institution for medical purposes. Other portal users do not have access to these files.

In accordance with the GDPR, you are responsible for the processing of patients' health data in the context of the use of the myoncare services as the data officer.

We process such personal data, including the patient's health data, under an agreement with you and in accordance with your instructions. Please only process your patients' data if you have obtained the required data consent from these patients. ONCARE acts as a data processor in accordance with the separate data processing agreement,

which we have concluded with you based on Art. 28 GDPR.

PROCESSING OF COMMERCIAL STORE DATA

Only applicable if you use the myoncare Store as a Careplan user.

The myoncare store is integrated into the myoncare portal and offers the purchase of care plans. After registering with the myoncare portal, you can connect to the myoncare store using your login details. You can use the myoncare store to purchase care plans as a user.

Data of the careplan user:

The data of the careplan user, which the myoncare Store processes during its use, is processed for the conclusion of a license agreement with the careplan provider – in this case ONCARE – and, if a fee is due, for the processing and control of the payment transaction between the careplan provider – in this case ONCARE – and the careplan user.

Types of data: name, contact details, bank account details.

Processing of commercial store data: Personal data that is processed by us in the case of using the myoncare store as part of the purchase of care plans. In addition, the payment data (if a usage fee is charged) will be forwarded to the careplan provider.

Justification of the processing of commercial store data: The legal basis for the processing of commercial store data is Art. 6 para. 1 lit. b GDPR – the processing of the data serves the performance of the contract between careplan user and careplan provider – in this case ONCARE.

PROCESSING OF ACTIVITY DATA

Only applicable if your connected app users consent to and enable data transfer.

Myoncare tools offer app users the option of connecting the myoncare app to certain health apps (e.g. AppleHealth, GoogleFit, Withings) ("Health App"), provided that these are used by the app user and the connection is made by the app user. If the connection is established, activity data collected by the Health App will be provided to you for the purpose of providing additional, contextual information regarding the app user's activity. Please note that activity data is not validated by myoncare tools and should therefore not be used for diagnostic purposes as a basis for medical decision-making.

The processing of activity data is the responsibility of your patients.

Types of data: The type and scope of data transferred depend on the decision of the app users. Data may include weight, height, steps taken, calories burned, hours of sleep, heart rate, and blood pressure, among others.

Purpose of processing activity data: App user's activity data is provided to  you for the purpose of providing additional, contextual information regarding the app user's activity. Please note that activity data is not validated by myoncare tools and should therefore not be used for diagnostic purposes as a basis for medical decision-making.

Justification of processing:

The data officer is the patient himself, by giving you access to his activity data for the purpose of reviewing the information shared. Therefore, no further justification is required.

PROCESSING OF PRODUCT SAFETY DATA

Only applicable if you use the medical device variant of the myoncare tools.

The myoncare portal and the myoncare app are classified and marketed as medical devices in accordance with European medical device regulations. As the manufacturer of the myoncare tool, we must comply with certain legal obligations (e.g. monitoring the functionality of the tool, evaluating incident reports that could be related to the use of the tool, tracking users, etc.). In addition, myoncare tools allow you to collect personal data about specific medical devices or medicines used in the treatment of your patients. The manufacturers of such medical devices or medicinal products also have legal obligations regarding market surveillance (e.g. collection and evaluation of side effect reports).

ONCARE is the data controller for the processing of product safety data.

Types of data: case reports, personal data provided in an incident report and results of the assessment, details of the reporter.

Processing of product safety data: We store and evaluate all personal data in connection with our legal obligations as a manufacturer of a medical device and transmit this personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory obligations. In addition, we will store and transfer personal data related to medical devices and/or medicines if we receive communications from you as the reporter of such information, from your patient or from a third party (e.g. our distributors or importers of the myoncare tools in your country) that must be reported to the manufacturer of the product in order for the manufacturer to comply with its legal obligations on product safety.

Justification of the processing of product safety data:

The legal basis for the processing of personal data for the fulfillment of legal obligations as a manufacturer of medical devices or medicinal products is Art. 6 para.1 lit. c, art. 9 para. 2 lit. i GDPR in conjunction with the post-market monitoring obligations under the Medical Devices Act and the Medical Devices Directive (regulated as of 26 May 2021 in Chapter VII of the new Medical Devices Regulation (EU) 2017/745) and/or the Medicines Act.

CHANGES TO THE PRIVACY POLICY

Only applicable if you use myoncare tools for reimbursement.

The myoncare portal supports you in initiating your standard procedures for reimbursement for the healthcare services provided to your patients via the myoncare app. To enable the reimbursement process, the myoncare portal supports the collection of your patients' personal (health) data from the myoncare portal in order to facilitate the transmission of this data to the patient's cost unit as part of the standard reimbursement processes (either your Association of Statutory Health Insurance Physicians and/or the patient's health insurance company). You are the data officer for the reimbursement data and responsible for compliance with data protection regulations for the processing of your patients' personal data in the reimbursement process. ONCARE acts as a data processor based on the data processing agreement with you as a healthcare provider.

Types of data: patient's name, diagnosis, indications, treatment, duration of treatment, other data necessary for the management of reimbursement.

Processing of reimbursement data: You, as the officer, transmit the patient's treatment data required for reimbursement to the cost unit (either your health insurance association and/or the patient's health insurance company) and the cost unit processes the reimbursement data in order to reimburse you.

Justification of the processing of reimbursement data: The reimbursement data is processed based on §§ 295, 301 SGB V. The processing of the data by ONCARE for you is also carried out based on Art. 28 GDPR (order processing agreement).

WHAT TECHNOLOGY IS USED BY THE MYONCARE PORTAL AND THE MYONCARE APP?

The myoncare portal works as a web-based tool for which you need a working internet connection and any current version of the internet browser Chrome, Firefox or Safari.

E-mail service

We use Brevo (provided by Sendinblue GmbH, located at Köpenicker Straße 126, 10179 Berlin) and Sendgrid (provided by Twilio Inc., 1801 California Street Suite 500, Denver, CO 80202, USA). These e-mail services can be used to organize the sending of e-mails.  Sendgrid is used to send confirmation emails, transaction confirmations, and emails with important information related to requests. The data you enter for the purpose of receiving e-mails is stored on Sendgrid's servers. When we send emails on your behalf through SendGrid, we use an SSL secured connection.

Email communication is used for the following tasks:

- Logging in to the web application for the first time;

- Resetting the password for the web application;

- Create an account for the patient application;

- Reset the password for the patient application;

- Generation and sending of a report;

- Replace push notifications with emails for PWA (Progressive Web App) in the following cases:

(i) if a Care Plan ends within one day;

(ii) if medication has been assigned;

(iii) if the Privacy Policy has been updated;

(iv) when an appointment is sent to patients and physicians, in particular for the "video call" appointment type;

(v) Any information relating to a "Caretask" or if a Healthcare Provider has assigned a Caretask.

Important Explanations of Push Notifications and Emails

As part of your support by myoncare, we would like to inform you about how we handle notifications and important information that we send you.

1.     Push notifications:

o   We send you push notifications via our myoncare PWA (Progressive Web App) and the myoncare app to inform you about tasks, appointments and important updates.

o   You have the option to disable these push notifications in your app's settings.

2.     Email notifications:

o   Whether you have enabled or disabled push notifications, we will continue to send you important information and reminders via email.

o   This ensures that you don't miss any important notifications and that your support runs smoothly.

Why we do this:

·       Our goal is that you are always informed about your tasks and important updates to optimally support your care.

·       Emails are a reliable way to ensure that important information reaches you, even when push notifications are disabled.

Your options for action:

·       If you do not want to receive push notifications, you can deactivate them in the settings of the myoncare app.

·       Please ensure that your email address is accurate and up-to-date to ensure the smooth receipt of our messages.

·       If you do not want to receive email reminders, you can deactivate them in the settings of the myoncare app.

Storage period

The data you provide to us to receive emails will be stored by us until you log out of our services and will be deleted from both our servers and Sendgrid's servers after you log out.

Brevo (Privacy Policy):

Privacy Policy - Personal Data Protection | Brevo

SendGrid

https://sendgrid.com/resource/general-data-protection-regulation-2/

Visible

This is an open-source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transmit data to servers outside of ONCARE's control. Matomo is initially disabled when you use our services. Only if you agree, your user behavior will be recorded anonymously. If deactivated, a "persistent cookie" will be stored, if your browser settings allow it. This cookie signals to Matomo that you do not want your browser to be recorded.

The usage information collected by the cookie is transmitted to our servers and stored there so that we can analyze user behavior.

The information generated by the cookie about your use is:

- User operating system;

- User geolocation;

- Browser;

- Role;

- IP address;

- Sites visited via web / PWA (for more information, see the section on PWA in this Privacy Policy);

- buttons that the user clicks on in the myoncare portal, in the myoncare app and in the myoncare PWA.

The information generated by the cookie will not be passed on to third parties.

You can refuse the use of cookies by selecting the appropriate settings in your browser. However, please note that you may not be able to use all the features in this case. For more information, please visit: https://matomo.org/privacy-policy/

The legal basis for the processing of users' personal data is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing of users' personal data enables us to analyse usage behaviour. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and their usability.

We process and store personal data only for as long as is necessary to fulfil the intended purpose.

SECURE TRANSFER OF PERSONAL DATA

We use appropriate technical and organizational security measures to optimally protect the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in cooperation with security experts and adapted to new security standards.

The data exchange from and to the portal as well as from and to the app is encrypted. We offer SSL as an encryption protocol for secure data transmission. The data exchange is also encrypted throughout and is carried out with pseudo-keys.

DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES

We will only pass on your personal data to third parties within the framework of the legal provisions or on the basis of your consent. In all other cases, the information will not be disclosed to third parties, unless we are obliged to do so due to mandatory legal regulations (disclosure to external bodies, including supervisory or law enforcement authorities).

Any transmission of personal data is encrypted during transmission.

The information on how we handle the personal (health) data of your patients who use the myoncare app is summarized in a separate privacy policy for the myoncare app. You can find this privacy policy for patients here. Please also read this patient privacy policy carefully. For some of the processing of patient data, you are the data officer and responsible for compliance with data protection (e.g. transmission of treatment data to the patient).

GENERAL INFORMATION ON CONSENT TO DATA PROCESSING

Your consent also constitutes consent to data processing under data protection law. Before granting us your consent, we will inform you about the purpose of the data processing and your right to object.

If the consent also relates to the processing of special categories of personal data, the myoncare portal will expressly inform you of this as part of the consent procedure.

Processing of special categories of personal data pursuant to Art. 9 para. 1 GDPR may only take place if this is necessary due to legal provisions and there is no reason to assume that your legitimate interests preclude the processing of this personal data or that you have given your consent to the processing of this personal data in accordance with Art. 9 para. 2 GDPR.

For the data processing for which your consent is required (as explained in this Privacy Policy), consent will be obtained as part of the registration process. After successful registration, the consents can be managed in the account settings of the myoncare portal. In addition, ONCARE will ask you to agree to a data processing agreement for the data processed by ONCARE under your responsibility as a data controller.

DATA RECIPIENTS / CATEGORIES OF RECIPIENTS

In our organization, we ensure that only those persons who are obliged to do so in order to fulfill their contractual and legal obligations are entitled to process personal data.

In certain cases, service providers support our specialist departments in the fulfillment of their tasks. The necessary data protection agreements have been concluded with all service providers who are data processors for personal data. These service providers are Google (Google Firebase) cloud storage providers and support service providers.

Google Firebase is a "NoSQL database" that enables synchronization between the myoncare portal and your patient's myoncare app. NoSQL defines a mechanism for storing data that is not only modeled in tabular relationships by allowing easier "horizontal" scaling compared to tabular/relational database management systems in a cluster of machines.  

For this purpose, a pseudo-key of the myoncare portal and the myoncare app is stored in Google Firebase together with the corresponding care plan. The data transfer is pseudonymized for ONCARE and its service providers, which means that ONCARE and its service providers cannot establish a relationship with you as a data subject. This is achieved by encrypting the data during the transfer and using pseudo-keys to track these transfers instead of personal identifiers such as names or e-mail addresses.  Re-identification takes place as soon as the personal data has reached the patient account in the myoncare app or in your account in the myoncare portal after verification by specific tokens.

Our cloud storage providers offer cloud storage in which the Firebase manager, which manages the Firebase URLs for the myoncare portal, is stored. In addition, these service providers provide the isolated server domain of the myoncare portal, in which your personal data as well as that of your patient is stored.  It also hosts myoncare's video and file management service, which enables encrypted video conferencing and data exchange between you and your patient. Access to your personal data by you and your patient is ensured by sending specific tokens. This personal data is encrypted during the transfer and pseudonymized for ONCARE and its service providers during the transfer and at rest. ONCARE service providers do not have access to this personal data at any time.

Furthermore, we use service providers to process service requests (support service providers) regarding the use of the account, for example, if you have forgotten your password, want to change your stored e-mail address, etc. The necessary order processing agreements have been concluded with these service providers; furthermore, the employees entrusted with the processing of service requests were trained accordingly. Upon recieving your service request a ticket number will be assigned to it.

If it is a service request regarding your account usage, the relevant information that you have provided to us when contacting us will be forwarded to one of the authorized employees of the external service. They will then contact you.

Otherwise, it will remain processed by specially approved ONCARE staff, as described under "PROCESSING OF OPERATIONAL DATA".

Through our support service providers, we use the tool RepairCode, also known as Digital Twin Code. This is a customer experience platform for dealing with external feedback with the ability to create support tickets. Here you will find the

Privacy Policy: https://app.repaircode.de/?main=main-client – Legal/privacy.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Personal data collected by the myoncare portal or the myoncare app is not stored in the app stores. Personal data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is necessary for the fulfilment of the contractual obligation, is required by law or you have given us your consent.

Synchronization of the myoncare portal with the myoncare app takes place with the help of Google Firebase. Google Firebase servers are hosted in the European Union. Nevertheless, according to the general Google Firebase terms and conditions, a temporary data transfer to countries in which Google and related service providers have branches is possible; for certain Google Firebase services, data is only transferred to the USA, unless processing takes place in the European Union or the European Economic Area. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Our online servers are hosted in Germany. For analysis purposes, the emails sent with SendGrid contain a so-called "tracking pixel" that connects to Sendgrid's servers when the email is opened. This can be used to determine whether an e-mail message has been opened.

Legal basis

Data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The lawfulness of the data processing operations that have already taken place remains unaffected by the revocation.

Please note that your data will usually be transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid that contains the EU Standard Contractual Clauses. This ensures that there is a level of protection comparable to that of the EU.

To process activity data, interfaces to Google Cloud services (in the case of GoogleFit) or to AppleHealth or Withings are used within the App User's mobile device. myoncare tools use these interfaces, which are provided by Google, Apple and Withings, to request activity data from the connected health applications. The enquiry sent by myoncare tools does not contain any personal data. Personal data is made available to the myoncare tools via these interfaces.

DURATION OF STORAGE OF PERSONAL DATA

We will retain your personal data for as long as it is needed for the purpose for which it is processed. Please note that numerous retention periods require the continued storage of personal data. This applies in particular to retention obligations under commercial or tax law.

Please note that ONCARE is also subject to retention obligations, which are contractually agreed with you based on the legal provisions. In addition, due to the classification and, if applicable, your use of the myoncare portal and the myoncare app as a medical device, certain retention periods apply to the portal, which result from the Medical Devices Act. If there are no other retention obligations, the personal data will be routinely deleted as soon as the purpose has been achieved.

In addition, we may retain personal data if you have given us your consent to do so or if litigation arises and we use evidence within the statutory limitation periods, which can be up to 30 years; the regular limitation period is three years.

YOUR RIGHTS AS A DATA SUBJECT

Various personal data are necessary for the establishment, execution and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare portal and the various functions it offers.

In certain cases, personal data must also be collected or made available in accordance with the legal provisions. Please note that without providing this personal data, it is not possible to process your request or fulfill the underlying contractual obligation.

AUTOMATED DECISIONS IN INDIVIDUAL CASES

We do not use purely automated processing to make decisions.

YOUR RIGHTS AS A PERSON CONCERNED

We would like to inform you about your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR and include:

Right of access (Art. 15 GDPR): You have the right to request information about whether and how your personal data is being processed, including information about the purposes of processing, recipients, storage period, as well as your rights to rectification, deletion and objection. You also have the right to receive a copy of any personal data we hold about you.

Right to erasure / right to be forgotten (Art. 17 GDPR): You can ask us to delete your personal data collected and processed by us without undue delay. In this case, we will ask you to delete the myoncare portal from your computer. Please note, however, that we can only delete your personal data after the expiry of the statutory retention periods.

Right to rectification (Art. 16 GDPR): You can ask us to update or correct inaccurate personal data concerning you or to complete incomplete personal data.

Right to data portability (Art. 20 GDPR): In principle, you can request that we provide you with personal data that you have provided to us and that is processed automatically based on your consent or the performance of a contract with you in machine-readable form so that it can be "ported" to a substitute service provider.

Right to restriction of data processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if the accuracy of the data is contested, the processing is unlawful, the data is needed for legal claims or an objection to the processing is being examined.

Right to object to data processing (Art. 21 GDPR): You have the right to object to our use of your personal data and to withdraw your consent at any time if we process your personal data based on your consent. We will continue to provide our services if they are not dependent on withdrawn consent.

To exercise these rights, please contact us at: privacy@myoncare.com. Objection and revocation of consent must be declared in text form to privacy@myoncare.com .

We will require you to provide sufficient proof of your identity to ensure that your rights are protected and that your personal data will only be disclosed to you and not to third parties.

Please also contact us at any time at privacy@myoncare.com  if you have any questions about data processing in our company or if you would like to withdraw your consent. You also have the right to contact the competent data protection supervisory authority.

DATA PROTECTION SUPERVISOR

You can reach our data protection officer to answer all questions about data protection at privacy@myoncare.com.

CHANGES TO THE PRIVACY POLICY

We expressly reserve the right to change this Privacy Policy in the future at our sole discretion. Changes or additions may be necessary, for example, to meet legal requirements, to comply with technical and economic developments, or to meet the interests of app or portal users.

Changes are possible at any time and will be communicated to you in an appropriate manner and in a reasonable timeframe before they become effective (e.g. by posting a revised Privacy Policy at login or by giving advance notice of material changes).

ONCARE GmbH

Mailing address

Balanstraße 71a

81541 Munich, Germany

T | +49 (0) 89 4445 1156

E | privacy@myoncare.com

Contact information of the Data Protection Officer

privacy@myoncare.com

In case of questions of interpretation or disputes, only the German version of the Privacy Policy shall be binding and authoritative.

Last updated on October 29, 2024.

PRIVACY POLICY FOR EUROPE

Welcome to myoncare, the digital health portal and mobile app ("app") for efficient and on-demand patient care and support for occupational health management programs.

For us at Oncare GmbH (hereinafter "ONCARE" or "we", "us", "our"), the protection of your privacy and all personal data relating to you during the use of the app is of great importance. We are aware of the responsibility that arises from your trust in the provision and storage of your personal (health) data in the myoncare app. Therefore, our technology systems used for the myoncare services are set up to the highest standards and the lawful processing of the data is at the core of our ethical understanding as a company.

We process your personal data in accordance with applicable legislation on the protection of personal data, in particular the EU General Data Protection Regulation ("GDPR") and the country-specific laws that apply to us. This privacy policy explains why and how ONCARE processes your personal (health) data that we collect from you or that you provide to us when you decide to use the myoncare app. In particular, you will find a description of the personal data we collect and process, as well as the purpose and basis on which we process the personal data and the rights to which you are entitled.

Please read the Privacy Policy carefully to ensure that you understand each provision. After reading the Privacy Policy, you have the opportunity to agree to the Privacy Policy and consent to the processing of your personal (health) data as described in the Privacy Policy. If you give your consent, the Privacy Policy becomes part of the contract between you and ONCARE.

According to the terms of use, our offer is only aimed at persons aged 18 and over. Accordingly, no personal data of children and adolescents under the age of 18 is stored and processed.

In case of questions of interpretation or disputes, only the German version of the Privacy Policy shall be binding and authoritative.

DEFINITIONS

"app User" means any user of the myoncare App (Patient and/or Employee).

"blockchain" is another decentralized database in the myoncare system that stores corresponding data of the application.

"company" means your employer if you and your employer use myoncare tools for the employer's occupational health management.

"data service provider" means any agent engaged and instructed by the Company to collect, review and interpret pseudonymized or anonymized employee data in occupational health management programs based on a separate service agreement with the Company (e.g. data analyst, general health prevention services, data evaluation services, etc.), which is provided by a separate information sheet to employees.

"healthcare provider" means your physician, clinic, healthcare facility, or other healthcare professional acting alone or on behalf of your physician, clinic, or healthcare facility.

"pathway" is a standardized treatment plan consisting of several scheduled care tasks, which can determine the steps for diagnoses and therapies. "care tasks" are specific tasks or actions within a pathway that must be performed by the healthcare providers involved, the nursing staff or the patient himself.

"myoncare app" means the mobile myoncare application for use by patients or employees who wish to use the services offered by ONCARE.

"myoncare portal" is the myoncare web portal, which is intended for professional use by portal users and serves as an interface between portal users and app users.

"myoncare tools" means the myoncare app and the myoncare portal together.

"myoncare PWA app" means the myoncare Progressive Web App application for patients who wish to use the services offered by ONCARE via the PWA App and not via the myoncare App.

"myoncare Services" means the services, functionalities and other offers that are or may be offered to portal users via the myoncare Portal and/or to app users via the myoncare app.

"ONCARE" means ONCARE GmbH, Germany.

"portal user" means any healthcare provider, company or data service provider that uses the web-based myoncare Portal.

"privacy policy" means this statement given to you as a patient and user of the myoncare app, which describes how we collect, use and store your personal information and informs you of your broad rights.

"terms of use" means the terms of use for the use of the myoncare App.

PROCESSING OF (TREATMENT) DATA

Oncare GmbH, a company registered with the District Court of Munich under registration number 219909 with its registered office at Balanstraße 71a, 81541 Munich, Germany, offers the mobile application myoncare app and operates it as access to the myoncare services. This privacy policy applies to all personal data processed by ONCARE in connection with the use of the myoncare app.

WHAT IS PERSONAL DATA

"personal data" means any information that allows a natural person to be identified. In particular, this includes your name, birthday, address, telephone number, email address and IP address.

"health data" means personal data relating to the physical and mental health of a natural person, including the provision of health services from which information about their state of health precedes.

Data is to be considered "anonymous" if no personal connection to the person/user can be established.

In contrast, "pseudonymized" data is data from which a personal reference or personally identifiable information is replaced by one or more artificial identifiers or pseudonyms, but which can generally be re-identified by the identifier key.

myoncare PWA app

A progressive web app (PWA) is a website that looks and has the functionality of a mobile app. PWAs are built to take advantage of the native features of mobile devices without the need for an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing the benefits of native mobile apps into the browser. The PWA is based on the technology of "React Native for Web". "React Native for Web" is an open-source software for PWA applications.

To use the myoncare PWA app, patients need a computer or smartphone and an active internet connection. There is no need to download an app.

Some of the myoncare app services cannot be used within the myoncare PWA app, see the description below for details. These are the following services or specifications:

- Chat with service providers;

- Video;

- Security PIN codes;

- Activity data tracking (e.g. via AppleHealth, GoogleFit, Withings).

The following information about the myoncare app also applies to the myoncare PWA app, unless otherwise described in this section.

WHAT PERSONAL DATA IS USED WHEN USING THE MYONCARE APP

We may process the following categories of data about you when using the myoncare app:

Operational data: Personal data that you provide to us when registering in our myoncare app, contacting us about problems with the app or otherwise interacting with us for the purpose of using the app.

Treatment data: You or your healthcare provider provide us with your personal data, such as name, age, height, weight, indication, symptoms of illness and other information related to your treatment (e.g. in a care plan). Information related to your treatment includes, but is not limited to: information about medications taken, responses to questionnaires including disease- or condition-related information, diagnoses and therapies provided by your healthcare provider, planned and completed tasks.

Activity data: Personal data that is processed by us if you connect the myoncare app to a health application (e.g. GoogleFit, AppleHealth, Withings). Your activity data will be transferred to your affiliated healthcare providers as portal users.

Commercial and non-commercial research data:

We process your personal data in anonymized/pseudonymized form in order to analyze and produce summary scientific reports in order to improve products, treatments and scientific results.

Product safety data: Personal data that is processed to comply with our legal obligations as the manufacturer of the myoncare app as a medical device. In addition, your personal data may be processed by medical devices or pharmaceutical companies to fulfil legal security or vigilance purposes.

Reimbursement Data: Personal data required for the reimbursement process between your provider and your health insurance provider.

Occupational health management data: Personal or aggregated data collected in specific projects and questionnaires at the request of your company (either directly or through a data service provider contracted by your company). The data may relate to certain health information, your opinion about your personal well-being, your opinion as an employee about a particular internal or external situation, or data about care or health in general.

BLOCKCHAIN-TECHNOLOGY

Blockchain technology ("blockchain") (European Patent No. 4 002 787) is an optional service that is not mandatory. It is your healthcare provider who decides to use the blockchain solution. The blockchain is based on Hyperledger Fabric's technology. Hyperledger Fabric is an open-source software for enterprise-level blockchain implementations. It offers a scalable and secure platform that supports blockchain projects.

The blockchain in the myoncare system is an additional database that stores data from the application. All blockchain data is stored in the Federal Republic of Germany. It is a private blockchain ("private blockchain"), it only allows the input of selected verified participants and it is possible to overwrite, edit or delete entries as needed.

Generally, the blockchain consists of digital data in a chain of packets called "blocks" that store the corresponding transactions. The way these blocks are connected to each other is chronological. The first block that is created is called the genesis block, and each block added after that has a cryptographic hash related to the previous block, allowing transactions and changes of information to be traced back to the genesis block. All transactions within the blocks are validated and verified through a blockchain consensus mechanism to ensure that each transaction is unchanged.

Each block contains the list of transactions, a timestamp, its own hash, and the hash of the previous block. A hash is a function that converts digital data into an alphanumeric chain. If an unauthorized person tries to change the data of a single block, the hash of the block would also change and the link to that block would be lost. In this case, the block can no longer be synchronized with the others. This technical process prevents unauthorized persons from manipulating the contents of the blockchain chain. If all nodes (network nodes) attempt to synchronize their copies, it is detected that a copy has been modified, and the network deems that node to be faulty.

Our blockchain is a private blockchain. A private blockchain is decentralized. It is a so-called distributed ledger system (digital system for recording transactions), which functions as a closed database. Unlike public blockchains, which are "unauthorized," private blockchains are "authorized" because authorization is required to become a user. In contrast to public blockchains, which are publicly accessible to everyone, access to private blockchains is dependent on authorization in order to become a user. This structure makes it possible to take advantage of the security and immutability of blockchain technology while being data protection compliant and comply in particular with the regulations of the General Data Protection Regulation (GDPR). Private blockchain records can be edited, altered, or deleted; deletion in this context means that the reference value to the UUID (Universally Unique Identifier) in the database of the healthcare provider is deleted. In addition, the hash is anonymized in the blockchain database, with the result that this overall process is compliant with the General Data Protection Regulation and the rights of a data subject are guaranteed (right to erasure "right to be forgotten", Art. 17 GDPR).

Type of data stored and processed in the blockchain:

- Institutions/Leistungserbinger UUID

- Patients-UUID

- Asset-UUID

- Hash of caretask and asset data.

(UUID: Universal Unique Identifier).

The data stored in the blockchain is pseudo-anonymized.

Our blockchain is designed to ensure data privacy in terms of data integrity, patient profile, assets, and assigned care tasks and medications. To communicate with the blockchain, the user must register a series of public-private keys. To communicate with the blockchain, the user needs several public-private keys; the registration process generates certificates that are stored in a separate database of the healthcare provider and on the patient's mobile phone. A backup copy of the patient key is encrypted and stored in the provider's database, which can only be accessed by the patient.

When verifying consent to data protection, in the event that the healthcare provider wants to communicate with the patient, the system checks whether the patient has given consent to the healthcare provider's privacy policy. The blockchain therefore serves to ensure the integrity and accountability of the record to ensure that the patient has accepted the privacy policy.

When a healthcare provider uploads a new version of a privacy policy, the hash of the file is stored on the blockchain, and after the patient agrees to the privacy policy, that interaction is stored on the blockchain. Every time it communicates with the patient, the blockchain responds by comparing the hash with a flag that indicates whether the patient's consent is still valid for the current privacy policy.

The integrity of the patient profile is also ensured by the blockchain in patient synchronization. The healthcare provider immediately detects if the patient profile is not synchronized or matches the profile on the mobile phone by comparing the hash of the patient profile in the blockchain. In this way, the healthcare provider achieves sufficient up-to-dateness with regard to the patient profile.

myoncare Portal:

If the service provider decides to use the blockchain solution, ONCARE implements an additional tool, called "Adapter Service", which is used to communicate with the blockchain. The blockchain instance is hosted by ONCARE.

myoncare App:

Patients can connect to the same blockchain instance using the Phone Manager tool, which is also hosted by ONCARE. This service is also hosted by ONCARE.

Legal basis for data processing: Data processing by ONCARE for the Service Provider is carried out based on Art. 28 GDPR (Data Processing Agreement).

OPERATIONAL DATA PROCESSING

Applicable to all app users

You may provide us with certain personal information when you contact us to understand the features and usage of the myoncare app, or in the event of a service request.

In the event of a service request, the following personal data can also be viewed by authorized ONCARE employees:

The personal data you have provided to your healthcare provider via our app (e.g. name, date of birth, profile picture, contact details).

The health data that you have provided to your healthcare provider, the data service provider or the company via our myoncare app (e.g. information about medications taken, answers to questionnaires including disease- or condition-related information, diagnoses and therapies by healthcare professionals, planned and completed tasks).

Authorized ONCARE employees who may access the database of your healthcare provider, data service provider or company for the purpose of processing a service request are contractually obliged to keep all personal data strictly confidential.

When the myoncare app is downloaded, the necessary information is transmitted to the app store provider. We have no control over this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare apps and services.

When processing operational data, ONCARE acts as a data controller responsible for the lawful processing of your personal data.

Types of data: your name, email address, date of birth, date of registration, pseudo-keys generated by the app; Device tokens to identify your device, your pseudo-identification number, your IP address, type and version of the operating system used by your device.

The app uses Google Maps API to use geographic information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. You can find more detailed information about the scope, legal basis and purpose of data processing by Google as well as the storage period in the Google Privacy Policy.

Purposes of processing operational data: We use the operational data to maintain the functionalities of the myoncare app and to contact you directly if necessary or if we are contacted by you (e.g. in the event of changes to the terms and conditions, necessary support, technical problems, etc.).

Justification of processing: The processing of operational data is justified on the basis of Art. 6 para. 1 lit. b GDPR for the performance of the contract that you conclude with ONCARE for the purpose of using the myoncare app.

IP GEOLOCATION

We use a geolocation application for our services. We use ipapi (provided by apilayer Data Products GmbH, Elisabethstraße 15/5, 1010 Vienna, Austria) and Geoapify (provided by Keptago Ltd., N. Nikolaidi and T. Kolokotroni ONISIFOROU CENTER 8011 Paphos, Cyprus) to identify the location of patient users. We use it to secure our applications and to verify the location of the patient user to ensure that the use of our services is compliant. We do not combine the information we collect with any other information about the user that could identify them. The data processed by apilayer includes the patient's IP address and other details about the location. The legal basis for the use is Art. 6 para. 1 lit. f GDPR. The data will be deleted when the associated purpose for which it was collected no longer exists and there is no longer a legal obligation to store it. For more information about their privacy policy, please visit https://ipapi.com/privacy/ and

PROCESSING OF (TREATMENT) DATA

Applicable to app users who use the app with their service provider

While using the myoncare app, your healthcare provider may enter your personal data into the myoncare portal in order to start myoncare services (e.g. providing an individual task, reminder to take medication, etc.). In addition, you and your healthcare provider can upload documents and files to the myoncare app and the myoncare portal and share them with each other. Your healthcare provider may upload a privacy policy for your information and define other consent requirements for you as a patient for which your consent must be given. The files are stored in a cloud database in Germany. Your healthcare provider may allow the sharing of such files with other portal users within its institution for medical purposes. Other portal users do not have access to these files.

We will use and process your data in accordance with what is set out in this privacy policy, unless you give us your consent.

We process such personal data, including your health data, under an agreement with and in accordance with the instructions of your healthcare provider. For the purposes of this Agreement, the halthcare provider is responsible for the processing of your personal data and health data within the meaning of applicable data protection laws as a data officer, and ONCARE is the data processor of such personal (health) data. This means that ONCARE processes personal data only in accordance with the instructions of the healthcare provider. If you have any questions or concerns about the processing of your personal data or health data, you should contact your healthcare provider in the first place.

Types of data: name, date of birth, profile information, contact details and also health data, such as symptoms, photos, information about medications taken, questionnaire responses including disease- or condition-related information, diagnoses and therapies of healthcare professionals, planned and completed tasks.

Purposes of data processing: We process your treatment data in order to be able to provide our myoncare services to your healthcare provider and to you. Your health data, which you enter into our myoncare app, will be used by your healthcare provider for advice and support for you. We process this personal data under an agreement with and in accordance with the instructions of your healthcare provider. The transmission of this treatment data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your healthcare provider.

Justification of processing of treatment data: Your personal (treatment) data will be processed by your healthcare provider in accordance with the provisions of the GDPR and all other applicable data protection regulations. Legal bases for data processing result in particular from Art. 9 para. 2 lit. h GDPR for health data as data worthy of special protection as well as your consent pursuant to Art. 6 para. 1 lit. a and 9 para. 2 lit. a GDPR. The processing of data by ONCARE for your healthcare provider is also carried out on the basis of Art. 28 GDPR (order processing agreement).

Your healthcare provider, as a data officer, is responsible for obtaining your consent. Even if you can use the myoncare app without such consent, most functions will no longer work (e.g. sharing data with your healthcare provider). Therefore, the refusal or revocation of consent to the processing of treatment data leads to a severe restriction of the functionality of the pp services and your healthcare provider can no longer support you via the myoncare app.

PROCESSING OF ACTIVITY DATA

Only applicable if you agree to and activate activity data transfer via myoncare tools

myoncare tools offer you the option of connecting the myoncare app with certain health apps (e.g. AppleHealth, GoogleFit, Withings) that you use ("health app"). In order to enable activity data processing, we will obtain your consent to the processing in advance. If the connection is established after you have given your consent, activity data collected by the health app will be made available to your healthcare providers for the purpose of providing additional, contextual information regarding your activity. Please note that activity data is not validated by myoncare tools and should not be used by your healthcare provider for diagnostic purposes as a basis for medical decision-making. Please also note that your healthcare providers are not obliged to verify your activity data and do not have to give you any feedback regarding your activity data.

Activity data is shared with your affiliated healthcare providers every time the myoncare app is accessed. You can revoke your consent to share activity data at any time in the settings of the myoncare app. Please note that your activity data will not be shared from this point on. Activity data that has already been shared will not be deleted from the myoncare portal of your affiliated healthcare providers.

The processing of activity data falls under your own data responsibility.

Types of data: The type and scope of data transferred depend on your decision and the availability of this data within the health app. Data may include weight, height, steps taken, calories burned, hours of sleep, heart rate, and blood pressure, among others.

Purpose of processing activity data: Your activity data will be made available to your healthcare providers with whom you are connected for the purpose of providing additional, contextual information regarding your activity.

Justification of processing: The processing of activity data is your own responsibility.

PROCESSING OF PRODUCT SAFETY DATA

Applicable for app users whose service provider uses the medical device variant of the myoncare tools

The myoncare app is classified and marketed as a medical device according to the European medical device regulations. As the manufacturer of the app, we must comply with certain legal obligations (e.g. monitoring the functionality of the app, evaluating incident reports that could be related to the use of the app, tracking users, etc.). In addition, the myoncare app allows you and your healthcare provider to communicate and collect personal data about certain medical devices or medicines used in your treatment. The manufacturers of such medical devices or medicinal products also have legal obligations regarding market surveillance (e.g. collection and evaluation of adverse reaction reports).

ONCARE is the data controller for the processing of product safety data.

Types of data: case reports, personal data provided in an incident report, and results of the evaluation.

Processing of product safety data: We store and evaluate all personal data in connection with our legal obligations as a manufacturer of a medical device and transmit this personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data officers with supervisory obligations. In addition, we will store and transfer personal data in connection with medical devices and/or medicines if we receive notices from your healthcare provider, from you as a patient or from a third party (e.g. our distributors or importers of the myoncare tools in your country) that must be reported to the manufacturer of the product in order for the manufacturer to comply with its legal obligations on product safety .

Justification of the processing of product safety data: The legal basis for the processing of personal data for the fulfilment of legal obligations as a medical device or medicinal product manufacturer is Art. 6 para. 1 lit. c, Art. 9 para. 2 lit. i GDPR in conjunction with the post-market monitoring obligations under the Medical Devices Act and the Medical Devices Directive (regulated as of 26 May 2021 in Chapter VII of the new Medical Devices Regulation (EU) 2017/745) and/or the Medicines Act.

CHANGES TO THE PRIVACY POLICY

Applicable to app users who use the app with their healthcare provider for reimbursement purposes

The myoncare app supports your healthcare provider in initiating standard procedures for reimbursement of costs for the health services provided to you via the myoncare app. In order to enable the reimbursement process, the myoncare app supports the collection of your personal (health) data by your healthcare provider for the transmission of this data to your paying unit (either its Association of Statutory Health Insurance Physicians and/or your health insurance company). This data processing is only an initial data transfer for the healthcare provider in order to obtain reimbursement from your health insurance company. The type and amount of personal data processed does not differ from other reimbursement routines of the healthcare provider. Your healthcare provider is the data officer of reimbursement data. ONCARE acts as a data processor on the basis of the data processing agreement with your healthcare provider.

Types of data: name, diagnosis, indications, treatment, duration of treatment, other data necessary for the management of reimbursement.

Processing of reimbursement data: Your healthcare provider transmits your treatment data required for reimbursement to the payer (either their statutory health insurance institution and/or your health insurance company) and the payer processes the reimbursement data in order to provide reimbursement to your healthcare provider.

Justification of the processing of reimbursement data: The reimbursement data is processed based on §§ 295, 301 SGB V. The processing of data by ONCARE for your healthcare provider is also carried out based on Art. 28 GDPR (order processing agreement).

PROCESSING OF OCCUPATIONAL HEALTH MANAGEMENT DATA

Applicable to users of the app who use the app with the company's occupational health management

During the use of the myoncare app in the company’s occupational health management, certain personal (health) data is passed on in aggregated form as data for occupational health management to the company and the data service providers commissioned by the company (e.g. data analysts or research companies). Neither the Company nor any data service provider can assign such data to your identity. ONCARE recommends not to share any personal data during the use of myoncare services as part of occupational health management.

This means that ONCARE and all data service providers will only process the data for occupational health management in accordance with the company’s instructions. We process such data for occupational health management, including your health data, on the basis of an agreement with your company and/or a data service provider and in accordance with their instructions. For the purposes of this Agreement, the company or the data service provider is the data officer for the processing of your data for occupational health management purposes and ONCARE and any data service providers engaged by the company, if any, are the processors of such data. If you have any questions or concerns about the processing of your data for occupational health management, you should contact the company in the first place.

Purposes of data processing in occupational health management: We process your data for occupational health management in order to be able to offer you and the company our myoncare services. Your company health management data, which you enter into our myoncare app, will be used by the company (either directly or via a data service provider) in its occupational health management. We process this data for occupational health management as part of an agreement with and in accordance with the instructions of the company and/or a data service provider for its occupational health management. The transmission of this data for occupational health management is pseudonymized and encrypted. To exercise your rights as a data subject, please contact the company.

Justification of the processing of occupational health management data: Your occupational health management data will be processed by the company in accordance with the provisions of the GDPR and all other applicable data protection regulations. The legal basis for data processing is in particular your consent in accordance with Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR or another legal ground applicable to the company. The processing of data by ONCARE to the company (either directly or via a service provider commissioned by your company) is also based on Art. 28 GDPR (Data Processing Agreement).

The company, as the data controller, is responsible for obtaining your consent if required by data protection regulations and for processing the data for occupational health management purposes in accordance with applicable data protection laws.

WHAT TECHNOLOGY IS USED BY THE MYONCARE APP?

E-mail service

We use Brevo (provided by Sendinblue GmbH, located at Köpenicker Straße 126, 10179 Berlin) and Sendgrid (provided by Twilio Inc., 1801 California Street Suite 500, Denver, CO 80202, USA). These e-mail services can be used to organize the sending of e-mails. Sendgrid is used to send confirmation emails, transaction confirmations, and emails with important information related to requests. The data you enter for the purpose of receiving e-mails is stored on Sendgrid's servers. When we send emails on your behalf through SendGrid, we use an SSL secured connection.

Email communication is used for the following tasks:

- Logging in to the web application for the first time;

- Resetting the password for the web application;

- Create an account for the patient application;

- Reset the password for the patient application;

- Generation and sending of a report;

- Replace push notifications with emails for PWA (Progressive Web App) in the following cases:

(i) if a Care Plan ends in one hour;

(ii) if medication has been assigned;

(iii) if the Privacy Policy has been updated;

(iv) when an appointment is sent to patients and physicians, especially for the "video call" appointment type;

(v) Any information relating to a caretask or if a healthcare provider has assigned a caretask.

Important Explanations of Push Notifications and E-mails

As part of your support by myoncare, we would like to inform you about how we handle notifications and important information that we send you.

  1. Push notifications:
    • We send you push notifications via our myoncare PWA (Progressive Web App) and the myoncare app to inform you about tasks, appointments and important updates.
    • You have the option to disable these push notifications in your app's settings.
  2. Email notifications:
    • Whether you have enabled or disabled push notifications, we will continue to send you important information and reminders via email.
    • This ensures that you don't miss any important notifications and that your support runs smoothly.

Why we do this:

  • Our goal is to keep you informed about your tasks and important updates to best support your health.
  • Emails are a reliable way to ensure that important information reaches you, even when push notifications are disabled.

Your options for action:

  • If you do not want to receive push notifications, you can deactivate them in the settings of the myoncare app.
  • Please ensure that your email address is accurate and up to date to ensure the smooth receipt of our messages.
  • If you do not want to receive email reminders, you can deactivate them in the settings of the myoncare app.

Storage period

The data you provide to us to receive emails will be stored by us until you log out of our services and will be deleted from both our servers and Sendgrid's servers after you log out.

Brevo (Privacy Policy): Privacy Policy - Personal Data Protection | Brevo

SendGrid (Privacy Policy):https://sendgrid.com/resource/general-data-protection-regulation-2/

Matomo

This is an open-source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transmit data to servers outside of ONCARE's control. Matomo is initially disabled when you use our services. Only if you agree, your user behavior will be recorded anonymously. If deactivated, a "persistent cookie" will be stored, if your browser settings allow it. This cookie signals to Matomo that you do not want your browser to be recorded.

The usage information collected by the cookie is transmitted to our servers and stored there so that we can analyze user behavior.

The information generated by the cookie about your use is:

- User Role;

- User geolocation;

- User-OS;

- Time that the user has used content;

- IP address;

- Sites visited via web / PWA (for more information, see the section on PWA in this Privacy Policy);

- buttons that the user clicks on in the myoncare portal, the myoncare app and the myoncare PWA.

The information generated by the cookie will not be passed on to third parties.

You can refuse the use of cookies by selecting the appropriate settings in your browser. However, please note that you may not be able to use all the features in this case. For more information, see:https://matomo.org/privacy-policy/ .

The legal basis for the processing of users' personal data is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing of users' personal data enables us to analyze usage behavior. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and their usability.

We process and store personal data only for as long as is necessary to fulfil the intended purpose.

SECURE TRANSFER OF PERSONAL DATA

We use appropriate technical and organizational security measures to optimally protect the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in cooperation with security experts and adapted to new security standards.

The data exchange to and from the app is encrypted. We use TLS and SSL as encryption protocols for secure data transfer. The data exchange is also encrypted throughout and is carried out with pseudo-keys.

DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES

We will only pass on your personal data to third parties within the framework of the legal provisions or based on your consent. In all other cases, the information will not be disclosed to third parties, unless we are obliged to do so due to mandatory legal regulations (disclosure to external bodies, including supervisory or law enforcement authorities).

Any transmission of personal data is encrypted during transmission.

GENERAL INFORMATION ON CONSENT TO DATA PROCESSING

Your consent also constitutes consent to data processing under data protection law. Before granting your consent, we will inform you about the purpose of the data processing and your right to object.

If the consent also relates to the processing of special categories of personal data, the myoncare app will expressly inform you of this as part of the consent procedure.

Processing of special categories of personal data pursuant to Art. 9 para. 1 GDPR may only take place if this is required by law and there is no reason to assume that your legitimate interests preclude the processing of this personal data or that you have given your consent to the processing of this personal data in accordance with Art. 9 para. 2 GDPR.

For the data processing for which your consent is required (as explained in this privacy policy), consent will be obtained as part of the registration process. After successful registration, the consents can be managed in the account settings of the myoncare app.

DATA RECIPIENTS / CATEGORIES OF RECIPIENTS

In our organization, we ensure that only those individuals are authorized to process personal data that are necessary to fulfill their contractual and legal obligations. Your personal data and health data that you enter in our myoncare app will be made available to your healthcare provider and/or company either directly or via a data service provider (depending on the type of use of the myoncare tools).

In certain cases, service providers support our specialist departments in the fulfilment of their tasks. The necessary data protection agreements have been concluded with all service providers who are data processors for personal data. These service providers are Google (Google Firebase), cloud storage providers and support service providers.

Google Firebase is a "NoSQL database" that enables synchronization between your healthcare provider's myoncare portal and the myoncare app. NoSQL defines a mechanism for storing data that is not only modeled in tabular relationships by allowing easier "horizontal" scaling compared to tabular/relational database management systems in a cluster of machines.

For this purpose, a pseudo-key of the myoncare app is stored in Google Firebase together with the corresponding care plan. The data transfer is pseudonymized for ONCARE and its service providers, which means that ONCARE and its service providers cannot establish a relationship with you as a data subject. This is achieved by encrypting the data during the transfer between you and your service provider or company (either directly or to any data service provider) and by using pseudo-keys instead of personal identifiers such as name or email address to track these transfers. Re-identification takes place as soon as the personal data has reached the account of your service provider or company in the myoncare portal or your account in the myoncare app, after it has been verified by specific tokens.

Our cloud storage providers offer cloud storage in which the Firebase manager, which manages the Firebase URLs for the myoncare portal, is stored. In addition, these service providers provide the isolated server domain of the myoncare portal, in which your personal data is stored. It also hosts myoncare's video and file management services, which enable encrypted video conferences between you and your service provider as well as the exchange of files. Access to your personal data by you and your service provider is ensured by sending specific tokens. This personal data is encrypted during transfer and at rest and pseudonymized for ONCARE and its service providers. ONCARE service providers do not have access to this personal data at any time.

Furthermore, we use service providers to process service requests (support service providers) regarding the use of the account, for example, if you have forgotten your password, want to change your stored e-mail address, etc. The necessary order processing agreements have been concluded with these service providers; furthermore, the employees entrusted with the processing of service requests were trained accordingly. Upon receiving your service request, a ticket number will be assigned to it.

If it is a service request regarding your account usage, the relevant information that you have provided to us when contacting us will be forwarded to one of the authorized employees of the external service. They will then contact you.

Otherwise, it will continue to be processed by specially approved ONCARE staff as described under "PROCESSING OF OPERATIONAL DATA".

Through our support service providers, we use the RepairCode tool, also known as Digital Twin Code, which is a customer experience platform for handling external feedback with the ability to create support tickets. Here you can find the privacy policy:https://app.repaircode.de/?main=main-client – Legal/privacy.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The personal data collected by this myoncare app is not stored in the app stores. Personal data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is necessary for the fulfilment of the contractual obligation, is required by law or you have given us your consent.

The synchronization of the myoncare app and the myoncare portal takes place via Google Firebase. The Google Firebase server is hosted in the European Union. However, as described in the Google Firebase Terms of Use, short-term data transfers to countries in which Google or its service providers are located are possible; for certain Google Firebase services, data is only transferred to the USA, unless processing takes place in the European Union or the European Economic Area. Unlawful access to your data is prevented with end-to-end encryption and secure access tokens. Our servers are hosted in Germany. For analysis purposes, the emails sent with SendGrid contain a so-called "tracking pixel" that connects to Sendgrid's servers when the email is opened. This can be used to determine whether an e-mail message has been opened.

Legal basis

Data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The lawfulness of the data processing operations that have already taken place remains unaffected by the revocation.

Please note that your data will usually be transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid that contains the EU Standard Contractual Clauses. This ensures that there is a level of protection comparable to that of the EU.

To process activity data, interfaces to Google Cloud services (in the case of GoogleFit) or to AppleHealth or Withings are used within the app user's mobile device. myoncare tools uses these interfaces, which are provided by Google, Apple and Withings, to request activity data from connected health apps. The enquiry sent by myoncare tools does not contain any personal data. Personal data is made available to the myoncare tools via these interfaces.

DURATION OF STORAGE OF PERSONAL DATA

We will retain your personal data for as long as it is needed for the purpose for which it is processed. Please note that numerous retention periods require the continued storage of personal data. This applies especially but not limited to retention obligations under commercial or tax law (e.g. Commercial Code, Tax Act, etc.). In addition, your healthcare provider must also ensure the retention of your medical records (between 1 and 30 years, depending on the type of documents).

Please note that ONCARE is also subject to retention obligations that are contractually agreed with your service provider based on the legal provisions. In addition, and only if your service provider uses the medical device variant of the myoncare tools, certain retention periods resulting from the Medical Devices Act apply due to the classification of the myoncare app as a medical device. If there are no other retention obligations, the personal data will be routinely deleted as soon as the purpose has been achieved.

In addition, we may retain personal data if you have given us your consent to do so or if litigation arises and we use evidence within the statutory limitation periods, which can be up to 30 years; the regular limitation period is three years.

OBLIGATION TO PROVIDE PERSONAL DATA

Various personal data are necessary for the establishment, execution and termination of the contractual relationship and the fulfilment of the associated contractual and legal obligations. The same applies to the use of our myoncare app and the various functions it offers.

We have summarized the details for you under the points above. In certain cases, personal data must also be collected or made available in accordance with the legal provisions. Please note that without providing this personal data, it is not possible to process your request or fulfil the underlying contractual obligation.

ACCESS

For all devices, regardless of the operating system used, it is necessary to grant the app certain permissions, which we call "basic access rights". Depending on the operating system of the device you are using, it may have additional features that require additional permissions for the app to work. In order for the myoncare app to work on your device, the app must be given various permissions to access certain functions of the device. If applicable, we will list them in order of the operating system (Android or iOS) according to the "basic conditions".

The basic access rights (Android and iOS) are:

Get Wi-Fi connections

Required to ensure the functionality of document download in conjunction with Wi-Fi connections.

Get Network Connection

Required to ensure the functionality of document download in conjunction with network connections that are not Wi-Fi connections.

Deactivate screen lock (prevent stand-by mode)

Required so that the videos that belong to the provided documents can be played directly in the app without being interrupted by a screen lock.

Access to all networks

Access to all networks is required to download documents.

Turn off sleep mode

This is necessary so that the videos that belong to the provided documents can be played directly in the app without the playback being interrupted by the occurrence of hibernation.

Mobile Data / Access to Mobile Data

If the user wants to download documents exclusively via Wi-Fi, he can make the appropriate setting in the app's menu and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of disabling document downloads over mobile data.

Accessing the camera

Camera access is required for scanning QR codes as well as for video consultations

Accessing the microphone

Microphone access is required for video consultations

Access files and photos

This is required for the exchange of files between you and your connected portal users.

Web browser access

This is necessary to view received files from your connected portal users.

We use push notifications, which are messages that are sent to your mobile device as a service of the myoncare app via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The Service Provider's Privacy Policy governs the access, use, and disclosure of personal information as a result of your use of these services.

AUTOMATED DECISIONS IN INDIVIDUAL CASES

We do not use purely automated processing to make decisions.

YOUR RIGHTS AS A PERSON CONCERNED

We would like to inform you about your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR and include:

Right of access (Art. 15 GDPR): You have the right to request information about whether and how your personal data is being processed, including information about the purposes of processing, recipients, storage period, as well as your rights to rectification, deletion and objection. You also have the right to receive a copy of any personal data we hold about you.

Right to erasure / right to be forgotten (Art. 17 GDPR): You can ask us to delete your personal data collected and processed by us without undue delay. In this case, we will ask you to delete the myoncare app including your UID (Unique Identification Number) from your smartphone/mobile phone. Please note, however, that we can only delete your personal data after the expiry of the statutory retention periods.

Right to rectification (Art. 16 GDPR): You can ask us to update or correct inaccurate personal data or to complete incomplete personal data.

Right to data portability (Art. 20 GDPR): In principle, you can request that we provide you with personal data that you have provided to us and that is processed automatically on the basis of your consent or the performance of a contract with you in machine-readable form so that it can be "ported" to a substitute service provider.

Right to restriction of data processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if the accuracy of the data is contested, the processing is unlawful, the data is needed for legal claims or an objection to the processing is being examined.

Right to object to data processing (Art. 21 GDPR): You have the right to object to our use of your personal data and to withdraw your consent at any time if we process your personal data on the basis of your consent. We will continue to provide our services if they are not dependent on withdrawn consent.

To exercise these rights, please contact your service provider or company in the first place or contact us at: privacy@myoncare.com . Objection and revocation of consent must be declared in text form to privacy@myoncare.com .

We will require you to provide sufficient proof of your identity to ensure that your rights are protected and that your personal data will only be disclosed to you and not to third parties.

Please also contact us at any time at privacy@myoncare.com if you have any questions about data processing in our company or if you would like to withdraw your consent. You also have the right to contact the competent data protection supervisory authority.

DATA PROTECTION SUPERVISOR

You can reach our data protection officer to answer all questions about data protection atprivacy@myoncare.com.

AGE RESTRICTION OF THE APPLICATION

A minimum age of 18 years is required to use the myoncare app.

CHANGES TO THE PRIVACY POLICY

We expressly reserve the right to change this privacy policy in the future at our sole discretion. Changes or additions may be necessary, for example, to meet legal requirements, to comply with technical and economic developments, or to meet the interests of app or portal users.

Changes are possible at any time and will be communicated to you in an appropriate manner and in a reasonable timeframe before they become effective (e.g. by posting a revised privacy policy at login or by giving advance notice of material changes).

In case of questions of interpretation or disputes, only the German version of the Privacy Policy shall be binding and authoritative.

ONCARE GmbH

Mailing address:

Balanstraße 71a

81541 Munich, Germany

E | privacy@myoncare.com

Contact information of the Data Protection Officer

privacy@myoncare.com

Last updated on October 30, 2024.

Privacy Notice (website) of Oncare

Welcome to our website and thank you for your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (EU GDPR) and the country-specific laws applicable to us. With the help of this privacy notice, we inform you comprehensively about the processing of your personal data by ONCARE GmbH (hereinafter referred to as “Oncare”) when using our website and the rights to which you are entitled.

Personal data is any information that makes it possible to identify a natural person. This includes, in particular, your name, date of birth, address, telephone number, email address and IP address. Data is considered anonymous if no personal reference to the individual/ user can be made.

Responsible body and data protection officer

Postal address:  
Balanstrasse 71a
81541 Munich
E | info@myoncare.com

Contact info of the data protection officeprivacy@myoncare.com

Last updated on 25 April 2023.

Your rights as a data subjectWe would first like to inform you of your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR, and include:  

  • The right of access (Art. 15 GDPR),
  • The right to rectification (Art. GDPR),
  • The right to erasure / right to be forgotten (Art. 17 GDPR),
  • The right to restriction of data processing (Art. 18 GDPR),
  • The right to data portability (Art. 20 GDPR),
  • The right to object to data processing (Art. 21 GDPR).

To exercise these rights, please contact: privacy@myoncare.com. The same applies if you have any questions regarding data processing at our company or when you withdraw your consent. You also have the right of appeal to the relevant data protection supervisory authority.  

Right to objectPlease note the following with respect to your right to object:

When we process your personal data for the purpose of direct marketing, you have the right to object to this data processing at any time without providing the reasons for such objection. This also applies to profiling insofar as it is associated with direct marketing.

If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection is free of charge and can be made in any form, if possible to: privacy@myoncare.com

Should we process your data to protect legitimate interests, you may object to such processing at any time for reasons that arise from your specific situation; this also applies to profiling based on these provisions.

We will then cease to process your personal information unless we can demonstrate compelling legitimate grounds for processing such information that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.

Purposes and legal bases of data processingThe processing of your personal data complies with the provisions of the EU GDPR and all other applicable data protection regulations. Legal bases for data processing arise in particular from art. 6 GDPR.

We use your data to initiate business, to fulfil contractual and legal obligations, to conduct the contractual relationship, to offer products and services and to consolidate customer relationships, which may include marketing and direct marketing.

Your consent also constitutes permission to data processing under data privacy law. In this respect, we will inform you of the purposes of data processing and your right of objection. If the consent also relates to the processing of special categories of personal data, we will explicitly notify you in the consent process.
In many cases, service providers assist our specialist departments to fulfil their tasks. The necessary data protection contracts have been concluded with all service providers.  

Processing of special categories of personal data within the meaning of art. 9 (1) GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such data or you have given your consent to the processing of these data according to art. 9 (2) GDPR.

Google services may transfer data to countries outside the EU/EEA (third country data transfer), e.g. to the USA, as part of the processing for the aforementioned purposes. Countries outside the European Economic Area may not offer a level of data protection comparable to that in Europe. Such countries for which the Commission has not explicitly determined that they provide an adequate level of protection with respect to data privacy are referred to as “unsafe third countries.” There is an increased risk that government authorities may access this data. We have no influence on these processing activities.

Data transfers / Disclosure to third partiesWe will only transmit your data to third parties within the scope of given statutory provisions or based on consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).

Data recipients / categories of recipientsIn our organisation, we ensure that only individuals who are required to process the relevant data to fulfil their contractual and legal obligations are authorised to handle personal data.  

Transfers of personal data to third countries  A transfer of data to third countries (outside the European Union or the European Economic Area) shall only take place if required by law or if you have provided your consent for such a transfer.

We transfer your personal data to service providers or group companies outside the European Economic Area as follows: United States of America.

In such cases, compliance with the required level of data protection is ensured by EU standard contractual clauses, the binding corporate data protection regulations of the service provider according to the established data protection contracts.

Period of data storageWe store your data for as long as such is required for the relevant processing purposes. Please note that numerous retention statutory periods require that data must be stored for a specific period of time. This relates in particular to retention obligations for commercial or fiscal purposes (e.g. commercial code, tax code, etc.). The data will be routinely deleted after use unless a further period of retention is required.  
We may also retain data if you have given us your permission to do so, or in the event of any legal disputes and we use the evidence within the statutory limitation period, which may be up to 30 years; the standard limitation period is 3 years.

Secure transfer of dataWe implement the appropriate technical and organisational security measures to ensure the optimal protection of the data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.

The data exchange to and from our website is encrypted. We provide https as the transmission protocol for our website and always use the latest encryption protocols. When you use the contact form on our website to get in touch with us, the content is sent via https to a secure server of Site Ground, where the data of the form is stored in an encrypted database. Site Ground employees do not have direct access to this data.  It is also possible to use alternative communication channels.

Obligation to provide data

A range of personal data is required to establish, implement and terminate the obligation and the fulfilment of the relevant contractual and legal obligations. The same applies to the use of our website and the various functions we provide.

We have summarised the relevant details in the above point. In some cases, legal regulations require data to be collected or made available. Please note that it will not be possible to process your request or execute the underlying contractual obligation without this information.

Data categories, sources and origin of data

The data we process is defined by the relevant context: it depends on whether, for example, you enter a request on our contact form or if you want to send us an application or submit a complaint.

Please note that we may also provide information at specific points for specific processing situations separately where appropriate, e.g. when downloading our flyer or when making a contact request.

We collect and process the following data when you visit our website:

  • Your IP address which is immediately hashed by removing the last two digits
  • The URL and the title of the page you are viewing
  • The browser (name) you are using
  • Viewport or viewing pane (the size of the browser window)
  • Your screen resolution
  • Whether or not you have Java enabled
  • The language enabled in your browser

For reasons of technical security (in particular to safeguard against attempts to attack our web server), this data is stored in accordance with Article 6 (1) lit f GDPR. Anonymisation takes place immediately by abbreviating the IP address so that no reference is made to the user.

WordPress

Oncare uses the web design platform WordPress (WordPress, Org) to manage our website and the provider Site Ground (SiteGround Spain S.L.)  to host the website. For more details on the data processed by WordPress and Site Ground see sections ‘Data categories, sources and origin of data’ and ‘Secure transfer of data’ below and the privacy policy of WordPress and Site Ground.  

SendGrid

We use Sendgrid for sending emails. The provider is Sendgrid Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Sendgrid is a service with which the sending of emails can be organized. Sendgrid is used to send confirmation emails, transaction confirmations and emails with important information regarding existing requests. The data you enter for the purpose of receiving emails is stored on Sendgrid’s servers. When we send email on your behalf through SendGrid, we use an SSL secured connection.  

For the purpose of analysis, the e-mails sent with SendGrid contain a so-called “tracking pixel”, which connects to Sendgrid’s servers when the e-mail is opened. By this, it is possible to determine whether an email message has been opened.

Legal basis

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide us for the purpose of receiving emails will be stored by us until you unsubscribe from our services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe.

Please note that your data is usually transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in the EU exists.

SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/

Google Fonts

We use Google Fonts provided by Google Inc on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for the European area. We have embedded the Google fonts locally, on our web server – not on Google’s servers. This means that there is no connection to Google servers and therefore no data transfer or storage. This is an interactive directory of over 800 fonts that Google provides free of charge. To prevent any information transfer to Google servers, we have downloaded the fonts to our server. In this way, we act in a privacy compliant manner and do not send any data to Google Fonts.

Cookie Pro

This website uses the cookie consent tool “CookiePro” provided by OneTrust LLC, 1200 Abernathy Rd NE, Sandy Springs, GA 30328, USA (“OneTrust”) to obtain effective user consent for cookies and cookie-based applications. By integrating a corresponding JavaScript code, users are shown a banner when they access the page, in which consent can be given for certain cookies and/or cookie-based applications.  The tool blocks the setting of all cookies requiring consent until the respective user gives corresponding consent. This ensures that such cookies are only set on the respective end device of the user if consent has been granted. In order to be able to clearly assign page views to individual users and to individually record, log and store the consent settings made by the user for a session duration, certain user information (including the IP address) is collected by the cookie consent tool when our website is accessed, transmitted to OneTrust servers and stored there.  

This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website. Further legal basis for the described data processing is furthermore Art. 6 (1) p. 1 lit. c GDPR. We, as the controller, are subject to the obligation to make the use of technically unnecessary cookies dependent on the respective user consent.

SEOPress

We use SEOPress plugins on our website, a service provided by SEOPress SAS, 26 allée de Cantau, 64600 Anglet, France. The plugin handles the technical optimization of our websites for search engines and also assists with content development. You can prevent the storage of cookies by selecting the appropriate settings on your browser; we would like to point out that in this case you may not be able to use all functions of this website to their full extent. For more information please visit https://www.seopress.org/privacy-policy/. This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest.

Polylang Pro

We use Polylang for the multilingualism of our website. Polylang is a product provided by WP SYNTEX, 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. Polylang cookies are set solely to recognize and record the language used or selected by the user. These cookies are stored for one year and after that period deleted. For more information on data privacy compliance, please visit:   https://polylang.pro/privacy-policy/This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest.

We collect and process the following data as part of a contact request:

  • Name and salutation
  • E-mail address
  • Type of your request
  • Information on your interests and inquiries (your message)
  • Company / organization

We process the following data as part of a job application you send us:

  • Name and salutation
  • Contact details you provide to us
  • Information on your professional career (CV), qualifications and certificates
  • Information you provide during application interviews and our notes thereof
  • The position you applied for, your salary expectations, you expected entry date and in exceptional cases your piece of identification
  • Any other information you provide to us during the application process.

We collect and process the following data in the context of job applications:

  • Last name, first name (maybe also title)
  • Address
  • Contact details (telephone number, e-mail address)
  • If applicable, contact data in electronic communication solutions (e.g. Skye, MS Teams) that you submit to us
  • Qualification data (CV, professional qualifications, work experience)
  • In addition, we use data that we have permissibly obtained from publicly accessible directories (e.g. professional networks).

Thank you for your interest in working for Oncare GmbH. We are aware of the importance of your data and process the personal data you provide us only for the purpose of effective and correct processing and for contacting you as part of the job application process. The data will not be transferred to third parties without your consent.  

You will be asked to provide personal information. We observe the principle of data economy and data avoidance by only requiring you to provide us with tdata that we need to review your job application documents, such as your CV, or that we are legally obligated to collect. To protect the security and confidentiality of your data, we implement appropriate security measures. In addition, we recommend that you send us your application documents in “zipped” form (e.g. 7z or .zip) with password protection by e-mail. Afterwards, please give us the password by telephone. Alternatively, you can also send us your application documents by post mail. We store your data for the above-mentioned purposes until the application process has been completed and related deadlines have expired – at the latest six months after receipt of a decision.  

If your job application is unfortunately unsuccessful, your data will be deleted by us within six months of rejection. If your application is successful, your application documents will be included on the HR files and will only be deleted after you have left the company and statutory retention periods have expired.

We are supported by our service provider JOIN Solutions GmbH (hereinafter “Join”) in carrying out the application process. For this purpose, we use a widget of the provider JOIN, Schönhauser Allee 36, 10435 Berlin, Germany. If you apply to a job, your application data will be processed by Join on our behalf as instructed. We have concluded the required data protection agreement with Join for data processing on our behalf, in which Join is obligated to process the data in accordance with the principles of GDPR and  in accordance with our instructions.  

Join widget: We use a Join widget to display current job offers. Cookies are set by the Join widget. The legal basis for the processing is Art. 6 (1) p. 1 lit. a GDPR.

Contact form / Contact via email (Article 6 (1) p.1. lit a, b GDPR)

A contact form is available on our website which can be used to contact us electronically. If you write to us using the contact form, we will process the data you submitted in the contact form to respond to your queries and requests.

In so doing, we respect the principle of data minimisation and data avoidance, such that you only have to provide the information we require to contact you, which is your name, salutation, email address and the type of your request. Your IP address will also be processed (and hashed immediately) for technical reasons and for legal protection. All other data is voluntary, and additional fields are optional (e.g. to provide a more detailed response to your questions).

If you contact us by email, we will process the personal information provided in the email solely for the purpose of processing your request.

Automated decisions in individual cases

We do not use purely automated processing to make decisions.

Cookies

Our website uses “cookies” at various locations, which serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser (locally on your hard disk). Cookies enable us to analyse how users use our websites so we can design the website content in accordance with the visitor’s needs. Cookies also allow us to measure the effectiveness of a particular advertisement and, for example, to place it based on the user’s interests.

When you first visit our website, a pop-up (CookiePro) opens from which you can give your consent to the use of categories of cookies which are described below as well as in the CookiePro pop-up itself.

The following categories of cookies are used on our website:

  • Necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. These cookies include for example the ones used by CookiePro (OneTrust) to maintain cookies based on your consent. You can set your browser to block or alert you about these cookies, but some parts of the site will then not work. These cookies do not store any personally identifiable information.
  • Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
  • Targeting cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Most of the cookies we use are “session cookies”, which will be automatically deleted after your visit. Persistent cookies are automatically deleted from your computer when their validity period (maximum 14 months) has expired, or you delete them yourself prior to expiry.

In order to revoke your consent to the use of cookies (except for strictly necessary cookies which are always enabled), you can navigate to the footer of the website and deactivate categories of cookies in the CookiePro pop-up via the link ‘Cookies Settings’.

Furthermore, cookies are stored on the user’s computer which then transmits them to us. As a user, you therefore exercise full control over the use of cookies. You can change the settings in your Internet browser to disable or restrict the sending of cookies. In addition, cookies that have already been saved on your computer can be deleted at any time via an Internet browser or other software programs. All this is possible in all the current Internet browsers.

Please note: If you deactivate the placing of cookies on your device, you may not be able to access all our website functions in certain circumstances.

Web tracking (Article 6 (1) p. 1 lit a EU GDPR)Matomo

This is an open source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transfer any data to servers outside the control of ONCARE. Matomo is deactivated when you use our services. Only after you have actively allowed it, your user behaviour will be recorded anonymously. By deactivating, a “permanent cookie” will be stored, if your browser settings allow this. This cookie serves the purpose of signaling Matomo not to capture your browser.

The information on usage collected by the cookie is transferred to our servers and saved there so that we can analyse user behaviour.

The information generated by the cookie on how you use our services will not be passed on to third parties.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality. For more information visit: https://matomo.org/privacy-policy/.  

The processing of the users’ personal data enables us to analyse the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and its user-friendliness.

We process and store personal data only for as long as this is necessary for the fulfilment of the intended purpose.

Google Analytics

Based on your consent (art. 6 (1) lit a EU GDPR) we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the website by the user is usually transferred to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. The processed data can be used to create pseudonymous user profiles of the users.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google within member states of the European Union or in other states that are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google as described in section ‘Cookies’ above.

Further information on the use of data by Google, setting and objection options, can be found in the privacy policy of Google and in the settings for the display of advertising by Google.

The personal data of users will be deleted or made anonymous after 12 months.

Google Marketing Platform (Doubleclick before)  

On this website we use Google Marketing Platform (hereinafter Doubleclick), a Google service. Doubleclick is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We use Doubleclick to make your stay on our website as pleasant as possible by integrating Google Maps. Doubleclick uses cookies, in particular to provide tailored ads to you.  

You can be addressed again by Google with suitable advertising offers on pages of Google Network, as you have visited or used corresponding websites and offers before. The information generated by the cookie may be transferred to a Google server in the USA and stored there. Google may also use the IP address of your browser for the display of ads. No data transmission takes place without your previously declared consent (Art. 6 para. 1 p. 1 lit. a GDPR) on our cookie banner. You can revoke this at any time by the “Cookie Settings” in the footer of our website. You can also deactivate the use of cookies by Google. Please note that you will not be able to access Google services embedded on our website (Google Maps) without your consent or if you deactivate them.  

Doubleclick is a service of a third company (Google) that is independent of us and we cannot influence whose data processing procedures. Further information how Google handles the data it collects from you, as well as other Google privacy policies, are available at http://www.google.com/intl/de/policies/privacy/

Google Maps-Plugin

Our website uses Google Maps (Google LLC) plugins. The plugins are deactivated until you specifically activate it by clicking on the plugin or have given your consent via our

cookie banner (consent according to Art. 6 para. 1 p. 1 lit. a) GDPR). Google will store your IP address after activation.  It is usually transferred to a Google server in the USA and stored there.  

You can find more information on the handling of user data in Google’s privacy policy at https://www.google.de/intl/de/policies/privacyHowever, you use this platform and its functions on your own responsibility. We would also like to point out that your data may be processed outside the European Union.

YouTube-PluginOur website uses YouTube plugins, YouTube is operated by Google. The operator is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surf behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. For more information on the handling of user data, please see YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy

LinkedIn Insight TagOur website uses the conversion tool “LinkedIn Insight Tag” provided by LinkedIn Ireland Unlimited Company. The tool creates a cookie in your web browser that allows the collection of, among other things, the following data: IP address, device and browser properties, and page events (e.g. page views). LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). IP addresses are shortened or (if used to reach LinkedIn members across devices) pseudonymized. The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data are deleted within 180 days. The data collected by LinkedIn cannot be assigned to specific individuals by us. LinkedIn stores the personal data of the website visitors on its servers in the USA and uses it for its own advertising measures. You can find more detailed information on data protection at LinkedIn in the LinkedIn privacy notices.  

The use of LinkedIn Insight is based on Art. 6 para. 1 p. 1 lit. f GDPR.

Privacy policy / Notes on data protection in social mediaOncare GmbH maintains presences in the social medias, especially on Xing and LinkedIn. In case that we have control over the processing of your data, we will ensure that applicable data protection regulations. Below you find the most important information on data protection laws regarding our social media presences.

Name and address of the controllerThe following companies are responsible (as controller) for our social media presences, beside Oncare GmbH, according to the EU General Data Protection Regulation (GDPR) and other data protection provisions:  

  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
  • Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Deutschland)

However, you use these platforms and their functions on your own responsibility, especially the use of interactive functions (e.g. commenting, sharing, rating). We would also like to point out that your data may be processed outside the European Union.

Purposes and legal basisWe maintain the social media presences in order to communicate with users and to inform them about our products and services. Furthermore, we collect data for statistical purposes in order to develop and optimize our content and to design our products/services more attractive. The data required for this purpose (e.g. total number of page views, page activity and data provided by visitors, interactions) is processed by the social networks and made available to us. We have no influence on the generation and presentation.  

In addition, your personal data will be processed by the social media providers for market research and advertising purposes. It is possible that, for example, based on your usage behavior and your interests, usage profiles are created. With the consequence that ads are placed inside and outside platforms that match your interests. Cookies are usually stored on your computer for this purpose. Data that are not collected directly on your end devices may also be stored in your usage profiles. Storage and analysis also takes place across devices; this applies in particular, but not exclusively, if you are registered as a member and logged in your account.

We do not collect or process any further personal data.

The processing of your personal data by Oncare GmbH is based on our legitimate interests to get appropriate information and reach sufficient communication pursuant to Art. 6 (1) p. 1 lit. f. GDPR. If you are asked for consent to data processing, i.e. if you declare your consent by confirming a button or similar (opt-in), the legal basis of the processing is Art. 6 (1) p. 1 lit. a., Art. 7 GDPR.

Your rights / objection option

If you are a member of a social network and do not want the network to collect data about you by our presence and link it to your social media membership data with the respective network, you must

  • log out of the social network before visiting our social media site,
  • delete the cookies present on the device and
  • close and restart your browser.

After logging in again, however, you will once more be recognizable to the network as a specific user. For a detailed description of the processing and the possibilities to object (opt-out), we refer to the following information:

  • LinkedIn

Privacy Statement: https://www.linkedin.com/legal/privacy-policy

Opt-Out: https://www.linkedin.com/legal/cookie-policy and

http://www.youronlinechoices.com

  • Xing

Privacy Statement: https://privacy.xing.com/de/datenschutzerklaerung

Opt-Out: http://www.youronlinechoices.com.

You have the following rights regarding the processing of your personal data:

The right of access, right to rectification, right to erasure / right to be forgotten, right to restriction of data processing, right to data portability, right to object to data processing and  

the right to file a complaint about unlawful processing of your personal data with the competent data protection authority. As Oncare does not have full access to your personal data, you should contact the social media provider directly if you wish to assert your claim, because your provider has access to the personal data of the users and can take appropriate measures and provide information. If you still need help, we support you.  Please contact privacy@myoncare.com

Online offers for children

Persons under the age of 16 may not submit personal data to us or give a declaration of consent without the authorisation of their legal guardian. We encourage parents and guardians to actively participate in the online activities and interests of their children.

Links to other providers

Our website also contains clearly identifiable links to the Internet sites of other companies. Although we provide links to websites of other providers, we have no influence on their content, and no guarantee or liability can therefore be assumed for such. The content of these pages is always the responsibility of the respective provider or operator of the pages.

The linked pages were checked at the time of linking for potential legal violations and identifiable infringements. No illegal content was identified at the time of linking. However, a permanent content control of the linked pages is not reasonable without concrete evidence of an infringement and, upon notification of a violation of rights, such links will be promptly removed.

U.S. Privacy Policy PRIVACY POLICY

Welcome to myoncare, the digital health portal for efficient and needs-based patient care.  

For us at Oncare GmbH (hereinafter referred to as "ONCARE" or "we", "us", "our"), the protection of your privacy and all personal data relating to you during the use of the myoncare portal is of great importance. We are aware of the responsibility that arises from the provision and storage of your personal data in the myoncare portal. Therefore, our technology systems used for the myoncare services are set up to the highest standards and the lawful processing of the data is at the core of our ethical understanding as a company.

We process your personal data in accordance with the applicable legal provisions on the protection of personal data. In this Privacy Policy, you will find out why and how ONCARE processes your personal data that we collect from you or that you provide to us when you decide to use the myoncare portal. In particular, you will find a description of the personal data we collect and process, as well as the purpose and basis on which we process the personal data and the rights to which you are entitled.

Any information we hold that is provided by your healthcare providers is Protected Health Information (PHI) and/or other medical information. These are protected by certain laws, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA). We have a legal obligation to protect the privacy and security of protected health information. We constantly strive to protect health information through administrative, physical, and technical means, and otherwise comply with applicable federal and state laws.

Please read the Privacy Policy carefully to ensure that you understand each provision. After reading the Privacy Policy, you will have the opportunity to consent to the Privacy Policy and consent to the processing of your personal data as described in the Privacy Policy. If you give your consent, the Privacy Policy becomes part of the contract between you and ONCARE.

In case of questions of interpretation or disputes, only the German version of the Privacy Policy shall be binding and authoritative.

DEFINITIONS

"App User" means any user of the myoncare App (your patient).

"Blockchain technology" The myoncare system contains an additional decentralized database in which the data of all installations is stored.

"Careplan Provider" means you or any other service provider or third party (e.g. medical device manufacturer, pharmaceutical company) who makes Care Plans available to other Portal users via the myoncare Store or other means of data exchange

"Careplan User" means you or any other service provider (Portal User) who uses a Care Plan ("Pathway") for the treatment of its registered Patients.

"Pathway" is a standardized treatment plan that can determine the steps for diagnoses and therapies. "Care tasks" are specific tasks or actions within a pathway that must be performed by the healthcare providers involved, the nursing staff or the patient themselves.

"EU General Data Protection Regulation". The General Data Protection Regulation (GDPR) is a European data protection law. The regulation came into force on 25 May 2018 and aims to harmonize data protection across all member states and give citizens more control over their personal data.  The GDPR applies to all companies and organizations that operate in the EU or process personal data of EU citizens, regardless of whether the company is located inside or outside the EU. The GDPR also applies to you as a US citizen because ONCARE is based in Germany.

"Healthcare provider" means you or any other physician, clinic, healthcare facility or other healthcare professional acting alone or on behalf of you or another physician, clinic or healthcare facility (intended User).

"Health Information" means all information, including genetic information, whether recorded orally or in any form or on any medium, which

- is processed or transferred by a healthcare provider, health plan, health authority, employer, life insurer, school or university, or health clearing house; and

- relates to a person's past, present or future physical or mental health or a health condition also in connection with the person's medical treatment;

- the past, present or future fee remuneration for a person's health care.

"Protected Health Information" or "PHI" means individually identifiable health information that (i) is transmitted via electronic media; (ii) are maintained in electronic media; or (iii) transmitted or maintained in any other form or medium.

"Health Insurance Portability and Accountability Act," "HIPAA." The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that includes the creation of national standards to protect patients' sensitive health information from unauthorized disclosure without their consent or knowledge. The HIPAA requirements apply to the use and disclosure of health information of individuals by institutions subject to the HIPAA Act. These individuals and organizations are referred to as "covered entities."

"myoncare App" means the mobile myoncare application for use by patients who wish to use the services offered by Oncare.

"myoncare Store" is the platform operated by ONCARE that provides digital care concepts (care plans) for the treatment of your registered patients via the myoncare portal.

"myoncare Portal" is the myoncare web portal, which is intended for professional use by portal users and serves as an interface between portal users and patients as app users.

"myoncare PWA App" means the myoncare Progressive Web App application for patients who wish to use the services offered by Oncare via the PWA App and not via the myoncare App.

"myoncare Tools" means the myoncare app and the myoncare portal together.

"myoncare Services" means the services, functionalities and other offers that are or could be offered to the Portal Users via the myoncare Portal and/or to the App Users via the myoncare App.

"Oncare" means ONCARE GmbH, Germany.

"Portal User" means you or any other service provider using the web-based myoncare Portal.

ONCARE is a "business associate" as defined by HIPAA and provides services to both healthcare providers and health plans. These services are provided to entities designated as "covered entities" in HIPAA law; ONCARE concludes corresponding agreements with these institutions.

According to our Terms of Use, our offer is only aimed at patients aged 18 and over. Accordingly, no personal data of children and adolescents under the age of 18 is stored and processed.

"Privacy Policy" means this statement provided to you as a user of the myoncare Portal, which describes how we collect, use and store your personal information and informs you of your broad rights.

"Terms of Use" means the terms of use for the use of the myoncare Portal.

COMPLIANCE WITH LAWS

Oncare GmbH, a company registered with the District Court of Munich under registration number 219909 with its registered office at Balanstraße 71a, 81541 Munich, Germany, offers and operates the interactive web portal myoncare Portal (for healthcare professionals) and the mobile application myoncare App (for patients) as access to the myoncare services. This privacy policy applies to all personal data processed by ONCARE in connection with the use of the myoncare portal. For the use of the myoncare app by patients, you will find a separate privacy policy for patients here[LG2] .

ONCARE is a "business associate" (business associate in terms of HIPAA) that provides services and health plans to health care providers, which are referred to as "covered entities" within the meaning of HIPAA; ONCARE concludes business partner agreements with these covered companies. ONCARE will only use and disclose PHI in accordance with the Business Associate Agreements and HIPAA.

We are required by U.S. law to follow laws designed to protect the privacy and security of protected health information. We will inform you immediately if a breach (so-called data breach) occurs that could have endangered the privacy or security of (health) information.

WHAT IS PERSONAL DATA IN TERMS OF THE GDPR

"Personal data" means any information that allows a natural person to be identified. In particular, this includes but is not limited to your name, birthday, address, telephone number, email address and IP address.

"Health data" means personal data relating to the physical and mental health of a natural person, including the provision of health services that disclose information about their health status.

Data is to be considered "anonymous" if no personal connection to the person/user can be established. In contrast, "pseudonymized" data is data from which a personal reference or personally identifiable information is replaced by one or more artificial identifiers or pseudonyms, but which can generally be re-identified by the identifier key (within the meaning of Art. 4 No. 5 GDPR).

Myoncare PWA App

A progressive web app (PWA) is a website that looks and has the functionality of a mobile app. PWAs are built to take advantage of the native features of mobile devices without the need for an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing the benefits of native mobile apps into the browser. The PWA is based on the technology of "React Native for Web". "React Native for Web" is an open-source software for PWA applications.

To use the myoncare PWA app, patients need a computer or smartphone and an active internet connection. There is no need to download an app.

Some of the myoncare app services cannot be used within the myoncare PWA app, see the description below for details. These are the following services or specifications:

-Chat with healthcare providers;

-Video;

-Security PIN codes;

-Activity data tracking (e.g. via AppleHealth, GoogleFit, Withings).

The following information about the myoncare app also applies to the myoncare PWA app, unless otherwise described in this section.

WHAT PERSONAL DATA IS USED WHEN USING THE MYONCARE APP

We may process the following categories of data about you when using the myoncare app:

Operational data: Personal data provided to us when you register and log into our myoncare portal, contact us regarding problems with the portal or otherwise interact with us for the purpose of using the portal;

Treatment data: You collect personal data of your patients, such as name, age, height, weight, indication, symptoms of illness and other information in connection with the treatment of your patients in the myoncare portal (e.g. treatment data is personal data of your patients that is collected or processed when you contact your patient via the myoncare portal interact); Activity data of your connected patients will be made available to you in your myoncare portal.

Commercial Store Data: Personal data processed by us when you use the myoncare store either as an author of careplan or as a buyer of careplan. The use of the myoncare store requires the processing of your name and contact details as well as your payment data (payment data only if a careplan is subject to a fee).

Activity data: Personal data that is processed by us when an app user connects the myoncare app to a health app (e.g. AppleHealth, GoogleFit, Withings). Activity information of your affiliated patients is available to you within the myoncare portal.

Commercial and non-commercial research data: We process your personal data in anonymized/pseudonymized form in order to analyze and prepare summary scientific reports to improve products, treatments and scientific results.

Product safety data: Personal data that is processed to comply with our legal obligations as the manufacturer of the myoncare app as a medical device. In addition, your personal data may be processed as an incident reporter to meet legal security or vigilance purposes of medical device or pharmaceutical companies.

Reimbursement Data: Personal data required for the reimbursement process.

BLOCKCHAIN-TECHNOLOGY

Blockchain technology ("Blockchain") (European Patent No. 4 002 787) is an optional service that is not mandatory. It is up to you, the healthcare provider, to decide to use the blockchain solution. The blockchain is based on Hyperledger Fabric's technology.  Hyperledger Fabric is an open-source software for enterprise-level blockchain implementations. It offers a scalable and secure platform that supports blockchain projects.

The blockchain in the myoncare system is an additional database that stores data from the application. All blockchain data is stored in the Federal Republic of Germany. It is a private blockchain ("Private Blockchain"), it only allows the input of selected verified participants, and it is possible to overwrite, edit or delete entries as needed.

Generally, the blockchain consists of digital data in a chain of packets called "blocks" that store the corresponding transactions. The way these blocks are connected to each other is chronological. The first block that is created is called the genesis block, and each block added after that has a cryptographic hash related to the previous block, allowing transactions and changes of information to be traced back to the genesis block. All transactions within the blocks are validated and verified through a blockchain consensus mechanism to ensure that each transaction is unchanged.

Each block contains the list of transactions, a time, its own hash, and the hash of the previous block. A hash is a function that converts digital data into an alphanumeric chain. In this case, the block can no longer be synchronized with the others. If an unauthorized person tries to change the data of a single block, the hash of the block would also change and the link to that block would be lost. If all nodes (network nodes) attempt to synchronize their copies, it is determined that one copy has been modified, and the network deems that node to be faulty. This technical process prevents unauthorized persons from manipulating the contents of the blockchain chain.

Our blockchain is a private blockchain. A private blockchain is decentralized. It is a so-called distributed ledger system (digital system for recording transactions), which functions as a closed database.  Unlike public blockchains, which are "unauthorized," private blockchains are "authorized" because authorization is required to become a user. In contrast to public blockchains, which are publicly accessible to everyone, access to private blockchains is dependent on authorization in order to become a user. This structure makes it possible to take advantage of the security and immutability of blockchain technology while being data protection compliant in general, and to comply in particular with the regulations of the General Data Protection Regulation (GDPR). Private blockchain records can be edited, altered, or deleted; deletion in this context means that the reference value to the UUID (Universally unique identifier) in the database of the service provider is deleted. In addition, the hash is anonymized in the blockchain database, with the result that this overall process is compliant with the General Data Protection Regulation and the rights of a data subject are guaranteed (right to erasure "right to be forgotten", Art. 17 GDPR).

Type of data stored and processed in the blockchain:

-Patients-UUID

-Institutions/Leistungserbinger UUID

-Asset-UUID

-Hash of caretask and asset data.

(UUID: Universal Unique Identifier).

The data stored in the blockchain is pseudo-anonymized.

Our blockchain is designed to ensure data privacy in terms of data integrity, patient profile, assets, and assigned care tasks and medications. To communicate with the blockchain, the user must register a series of public-private keys. The registration process generates certificates that are stored in a separate database of the provider and on the patient's mobile phone. A backup copy of the patient key is encrypted and stored in the provider's database, which can only be accessed by the patient.

When verifying consent to data protection, in the event that the provider wants to communicate with the patient, the system checks whether the Patient has given consent to the Provider's Privacy Policy. The blockchain therefore serves to ensure the integrity and accountability of the record to ensure that the patient has accepted the privacy policy.

When a healthcare provider uploads a new version of a privacy policy, the hash of the file is stored on the blockchain, and after the patient agrees to the privacy policy, that interaction is stored on the blockchain. Every time it communicates with the patient, the blockchain responds by comparing the hash with a flag that indicates whether the patient's consent is still valid for the current privacy policy.

In the event of patient synchronization, the integrity of the patient profile is also ensured by the blockchain. The service provider immediately recognizes if the patient profile does not synchronize or match the profile on the mobile phone by comparing the hash of the patient profile in the blockchain. In this way, the service provider achieves sufficient up-to-dateness regarding the patient profile.

myoncare portal:

If the healthcare provider decides to use the blockchain solution, ONCARE implements an additional tool, called "Adapter Service", which is used to communicate with the blockchain. The blockchain instance is hosted by ONCARE.

myoncare App:

Patients can connect to the same blockchain instance using the Phone Manager tool, which is also hosted by ONCARE. This service is also hosted by ONCARE.

Justification of processing: The processing of data by ONCARE on behalf of the healhcare provider is carried out based on Art. 28 GDPR (order processing agreement).

OPERATIONAL DATA PROCESSING

In case you are a contact person for the operation of the myoncare portal at your location/practice (e.g. IT administrator, appointed healthcare professional), you may provide us with certain personal data when you contact us to understand or discuss the features and use of the myoncare portal, or in the event of a service request.

In the event of a service request, the following personal data can also be viewed by authorized ONCARE employees:

Your personal data that you have provided to us for registration and/or login to our portal (e.g. name, date of birth, profile picture, contact details).

Authorized ONCARE employees who may access your database for the purpose of processing a service request are contractually obligated to keep all personal information strictly confidential.

When processing operational data, ONCARE acts as a data officer responsible for the lawful processing of your personal data.

Types of Data: email address, date of birth, date of registration, your IP address, pseudo-keys generated by the Portal.

The app uses Google Maps API to use geographic information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. You can find more detailed information about the scope, legal basis and purpose of data processing by Google as well as the storage period in the Google Privacy Policy.

Purpose of processing operational data: We use the operational data to maintain the functionalities of the myoncare portal and to contact you directly if necessary or on your initiative (e.g. in the event of changes to terms of use, necessary support, technical problems, etc.). Furthermore, personal data (e-mail address) is required and processed within the framework of two-factor authentication every time you log in to the myoncare portal.

Justification of processing in accordance with the GDPR: The processing of personal data is justified based on Art. 6 para. 1 lit. b GDPR for the performance of the contract that you conclude with ONCARE for the purpose of using the myoncare portal.

IPGEOLOCATION

IP Geolocation: We use a geolocation application for our Services. We use ipapi (provided by apilayer Data Products GmbH, Elisabethstraße 15/5, 1010 Vienna, Austria) and Geoapify (provided by Keptago Ltd., N. Nikolaidi and T. Kolokotroni ONISIFOROU CENTER 8011 Paphos, Cyprus) to identify the location of patient users. We use it to secure our applications and to verify the location of the patient user to ensure that the use of our services is compliant. We do not combine the information we collect with any other information about the user that could identify them. The data processed by apilayer includes the patient's IP address and other details about the location. The legal basis for the use is Art. 6 para. 1 lit. f GDPR. The data will be deleted when the associated purpose for which it was collected no longer exists and there is no longer a legal obligation to store it. For more information on their privacy policy, please see https://ipapi.com/privacy/ and Privacy Policy | Geoapify location platform.

PROCESSING OF TREATMENT DATA

While using the myoncare portal, you enter personal (health) data of your patients into the myoncare portal (e.g. provision of an individual care plan, reminder to take medication, etc.). In addition, you and your patients can upload documents and files to the myoncare portal and share them with each other. In addition, location functions can be generated and implemented:

·       Adding a location;

·       Uploading the logo of the site;

·       Adding the details of the location;

·       Uploading a Privacy Policy

It is possible to create further consent requirements for the patient, for which the patient must give consent in order to connect to the website.

An uploaded privacy policy will be displayed to every patient who connects to the website. All declarations of consent must be documented in the uploaded privacy policy. Once a privacy policy has been uploaded, it can only be replaced by a new version but cannot be deleted.

The files are stored in a cloud database in Germany. You can allow the sharing of such files with other portal users within your institution for medical purposes. Other portal users do not have access to these files.

In accordance with the GDPR, you are responsible for the processing of patients' health data in the context of the use of the myoncare services as the data officer.

We process such personal data, including the patient's health data, under an agreement with you and in accordance with your instructions.

GDPR rules

For the purposes of using the myoncare services with patients' health data, you are therefore the responsible data officer (in accordance with GDPR). Please only process your patients' data if you have obtained the required data consent from these patients. ONCARE will act as a processor (pursuant to GDPR) in accordance with the separate data processing agreement we agree upon with you based on Art. 28 GDPR.

PROCESSING OF COMMERCIAL STORE DATA

Only applicable if you use the myoncare store as a careplan user.

The myoncare store is integrated into the myoncare portal and offers the purchase of care plans. After registering with the myoncare portal, you can connect to the myoncare store using your login details. You can use the myoncare Store to purchase care plans as a user.

Data of the careplan user:

The data of the careplan user, which the myoncare store processes during its use, is processed for the conclusion of a license agreement with the careplan provider – in this case ONCARE – and, if a fee is due, for the processing and control of the payment transaction between the careplan provider – in this case ONCARE – and the careplan user .

Types of data: name, contact details, bank account details.

Processing of commercial store data: Personal data that is processed by us in the case of using the myoncare store, either in the context of authorship of care plans or the purchase of care plans. In addition, the payment data (if a usage fee is charged) will be forwarded to the careplan provider.

GDPR rules

Justification for the processing of commercial store data: The legal basis for the processing of personal data is the separate order processing agreement that we concluded with the careplan provider based on Art. 28 GDPR.

PROCESSING OF ACTIVITY DATA

Only applicable if your connected app users consent to and enable data transfer.

myoncare tools offer app users the option of connecting the myoncare app to certain health apps (e.g. AppleHealth, GoogleFit, Withings) ("Health App"), provided that these are used by the app user and the connection is made by the app user. If the connection is established, activity data collected by the Health App will be made available to you for the purpose of providing additional, contextual information regarding the app user's activity. Please note that activity data is not validated by myoncare tools and should therefore not be used for diagnostic purposes as a basis for medical decision-making.

The processing of activity data is the responsibility of your patients.

Types of data: The type and scope of data transferred depend on the decision of the app users. Data may include weight, height, steps taken, calories burned, hours of sleep, heart rate, and blood pressure, among others.

Purpose of Processing Activity Data: App User Activity Data is provided to you for the purpose of providing additional, contextual information regarding the app user's activity. Please note that activity data is not validated by myoncare tools and should therefore not be used for diagnostic purposes as a basis for medical decision-making.

Justification of processing:

The data officer is the patient themselves by giving you access to his activity data for the purpose of reviewing the information shared. Therefore, no further justification is required.

PROCESSING OF PRODUCT SAFETY DATA

Only applicable if you use the medical device variant of the myoncare tools.

The myoncare portal and the myoncare app are classified and marketed as medical devices in accordance with European medical device regulations. As the manufacturer of the myoncare tool, we must comply with certain legal obligations (e.g. monitoring the functionality of the tool, evaluating incident reports that could be related to the use of the tool, tracking users, etc.). In addition, myoncare tools allow you to collect personal data about specific medical devices or medicines used in the treatment of your patients. The manufacturers of such medical devices or medicinal products also have legal obligations regarding market surveillance (e.g. collection and evaluation of side effect reports).

ONCARE is the data controller for the processing of product safety data.

Types of data: case reports, personal data provided in an incident report and results of the evaluation, details of the reporter.

Processing of product safety data: We store and evaluate all personal data in connection with our legal obligations as a manufacturer of a medical device and transmit this personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data officers with supervisory obligations. In addition, we will store and transfer personal data related to medical devices and/or medicines if we receive communications from you as the reporter of such information, from your patient or from a third party (e.g. our distributors or importers of the myoncare tools in your country) that must be reported to the manufacturer of the product in order for the manufacturer to comply with its legal obligations on product safety.

 

GDPR rules

The legal basis for the processing of personal data for the fulfilment of legal obligations as a manufacturer of medical devices or medicinal products is Art. 6 para. 1 lit. c, Art. 9 para. 2 lit.  i GDPR in conjunction with the post-market monitoring obligations under the Medical Devices Act and the Medical Devices Directive (regulated as of 26 May 2021 in Chapter VII of the new Medical Devices Regulation (EU) 2017/745) and/or the Medicines Act.

WHAT TECHNOLOGY IS USED BY THE MYONCARE PORTAL AND THE MYONCARE APP?

The myoncare portal works as a web-based tool for which you need a working internet connection and any current version of the internet browser Chrome, Firefox or Safari.

E-mail service

We use Brevo (provided by Sendinblue GmbH, located at Köpenicker Straße 126, 10179 Berlin) and Sendgrid (provided by Twilio Inc., 1801 California Street Suite 500, Denver, CO 80202, USA). These e-mail services can be used to organize the sending of e-mails.  Sendgrid is used to send confirmation emails, transaction confirmations, and emails with important information related to requests. The data you enter for the purpose of receiving e-mails is stored on Sendgrid's servers. When we send emails on your behalf through SendGrid, we use an SSL secured connection.

Email communication is used for the following tasks:

- Logging in to the web application for the first time;

- Workflow to reset the password for the web app;

- Create an account for the patient app;

- Patient application password reset workflow;

- Generation and sending of a report;

-Replace push notifications with emails for PWA (Progressive Web App) in the following cases:

(i) if a Care Plan ends within one day;

(ii) if medication has been assigned;

(iii) if the Privacy Policy has been updated;

(iv) when an appointment is sent to patients                 and physicians, in particular for the "video call"             appointment type;

(v) all information relating to a Caretask or if                an HCP has assigned a Caretask.

Important Explanations of Push Notifications and Emails

As part of your support by myoncare, we would like to inform you about how we handle notifications and important information that we send you.

1.     Push notifications:

o   We send you push notifications via our myoncare PWA (Progressive Web App) and the myoncare app to inform you about tasks, appointments and important updates.

o   You have the option to disable these push notifications in your app's settings.

2.     Email notifications:

o   Whether you have enabled or disabled push notifications, we will continue to send you important information and reminders via email.

o   This ensures that you don't miss any important notifications and that your support runs smoothly.

Why we do this:

·       Our goal is that you are always informed about your tasks and important updates in order to optimally support your care.

·       Emails are a reliable way to ensure that important information reaches you, even when push notifications are disabled.

Your options for action:

·       If you do not want to receive push notifications, you can deactivate them in the settings of the myoncare app.

·       Please ensure that your email address is accurate and up to date to ensure the smooth receipt of our messages.

·       If you do not want to receive email reminders, you can deactivate them in the settings of the myoncare app.

Storage period

The data you provide to us to receive emails will be stored by us until you log out of our services and will be deleted from both our servers and Sendgrid's servers after you log out.

Brevo (Privacy Policy): Privacy Policy - Personal Data Protection | Brevo

SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/

Visible

This is an open-source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transmit data to servers outside of ONCARE's control. Matomo is initially disabled when you use our services. Only if you agree, will your user behavior be recorded anonymously. If deactivated, a "persistent cookie" will be stored, if your browser settings allow it. This cookie signals to Matomo that you do not want your browser to be recorded.

The usage information collected by the cookie is transmitted to our servers and stored there so that we can analyze user behavior.

The information generated by the cookie about your use is:

- Role;

- User geolocation;

- Browser;

- User operating system;

- IP address;

- Sites visited via web / PWA (for more information, see the section on PWA in this Privacy Policy);

- buttons that the user clicks on in the myoncare portal, in the myoncare app and in the myoncare PWA

time that the user has used content.

The information generated by the cookie will not be passed on to third parties.

You can refuse the use of cookies by selecting the appropriate settings in your browser. However, please note that you may not be able to use all the features in this case. For more information, see: https://matomo.org/privacy-policy/ .

The legal basis for the processing of users' personal data is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing of users' personal data enables us to analyze usage behavior. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and their usability.

We process and store personal data only for as long as is necessary to fulfil the intended purpose.

SECURE TRANSFER OF PERSONAL DATA

We use appropriate technical and organizational security measures to optimally protect the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in cooperation with security experts and adapted to new security standards.

The data exchange from and to the portal as well as from and to the app is encrypted. We offer SSL as an encryption protocol for secure data transmission. The data exchange is also encrypted throughout and is carried out with pseudo-keys.

DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES

We will only pass on your personal data to third parties within the framework of the legal provisions or based on your consent. In all other cases, the information will not be disclosed to third parties, unless we are obliged to do so due to mandatory legal regulations (disclosure to external bodies, including supervisory or law enforcement authorities).

We will only share information and data about you if required to do so by state or U.S. federal law; this includes requests from the Department of Health and Human Services if the agency wishes to verify compliance with U.S. federal law.  

Any transmission of personal data is encrypted during transmission.

The information on how we handle the personal (health) data of your patients who use the myoncare app is summarized in a separate privacy policy for the myoncare app. You can find this privacy policy for patients here[LG3] .

Please also read this patient privacy policy carefully. For processing some of patient data, you are the data officer and responsible for compliance with data protection (e.g. transmission of treatment data to the patient).

GENERAL INFORMATION ON CONSENT

Your consent also constitutes consent to data processing under data protection law. Before granting your consent, we will inform you about the purpose of the data processing and your right to object.

GDPR rules

If the consent also relates to the processing of special categories of personal data, the myoncare portal will expressly inform you of this as part of the consent procedure. Processing of special categories of personal data pursuant to Art. 9 para. 1 GDPR may only take place if this is necessary due to legal provisions and there is no reason to assume that your legitimate interests preclude the processing of this personal data or that you have given your consent to the processing of this personal data in accordance with Art. 9 para 2 GDPR.

For the data processing for which your consent is required (as explained in this Privacy Policy), consent will be obtained as part of the registration process. After successful registration, the consents can be managed in the account settings of the myoncare portal. In addition, ONCARE will ask you to agree to a data processing agreement for the data processed by ONCARE under your responsibility as a data controller.

DATA RECIPIENTS / CATEGORIES OF RECIPIENTS

In our organization, we ensure that only those persons who are obliged to do so in order to fulfill their contractual and legal obligations are entitled to process personal data.

In certain cases, service providers support our specialist departments in the fulfillment of their tasks. The necessary data protection contracts have been concluded with all service providers who are processors (within the meaning of the GDPR) for health information / personal data. These service providers are Google (Google Firebase) cloud storage providers and support service providers.

Google Firebase is a "NoSQL database" that enables synchronization between the myoncare portal and your patient's myoncare app. NoSQL defines a mechanism for storing data that is not only modeled in tabular relationships by allowing easier "horizontal" scaling compared to tabular/relational database management systems in a cluster of machines.

For this purpose, a pseudo-key of the myoncare portal and the myoncare app is stored in Google Firebase together with the corresponding care plan. The data transfer is pseudonymized for ONCARE and its service providers, which means that ONCARE and its service providers cannot establish a relationship with you as a data subject. This is achieved by encrypting the data during the transfer and using pseudo-keys to track these transfers instead of personal identifiers such as names or e-mail addresses.  Re-identification takes place as soon as the personal data has reached the patient account in the myoncare app or in your account in the myoncare portal after verification by specific tokens.

Our cloud storage providers offer cloud storage in which the Firebase manager, which manages the Firebase URLs for the myoncare portal, is stored. In addition, these service providers provide the isolated server domain of the myoncare portal, in which your personal data as well as that of your patient is stored.  It also hosts myoncare's video and file management service, which enables encrypted video conferencing and data exchange between you and your patient. Access to your personal data by you and your patient is ensured by sending specific tokens. This personal data is encrypted during the transfer and pseudonymized for ONCARE and its service providers during the transfer and at rest. ONCARE service providers do not have access to this personal data at any time.

Furthermore, we use service providers to process service requests (support service providers) regarding the use of the account, for example, if you have forgotten your password, want to change your stored e-mail address, etc. The necessary order processing agreements have been concluded with these service providers; furthermore, the employees entrusted with the processing of service requests were trained accordingly. Upon receiving your service request a ticket number will be assigned to it.

If it is a service request regarding your account usage, the relevant information that you have provided to us when contacting us will be forwarded to one of the authorized employees of the external service. They will then contact you.

Otherwise, it will remain processed by specially approved Oncare staff, as described under "PROCESSING OF OPERATIONAL DATA".

Through our support service providers, we use the tool RepairCode, also known as Digital Twin Code which is a customer experience platform for handling external feedback with the ability to create support tickets. Here you will find the

Privacy Policy: https://app.repaircode.de/?main=main-client – Legal/privacy.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The personal data collected by the myoncare portal or the myoncare app is not stored in the app stores.

Personal data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is necessary for the fulfilment of the contractual obligation, is required by law or you have given us your consent.

The synchronization of the myoncare portal with the myoncare app takes place with the help of Google Firebase. Google Firebase servers are hosted in the European Union. Nevertheless, according to the general Google Firebase terms and conditions, a temporary data transfer to countries in which Google and related service providers have branches is possible; for certain Google Firebase services, data is only transferred to the USA, unless processing takes place in the European Union or the European Economic Area.  Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Our servers are hosted in Germany. For analysis purposes, the emails sent with SendGrid contain a so-called "tracking pixel" that connects to Sendgrid's servers when the email is opened. This can be used to determine whether an e-mail message has been opened.

GDPR Rules

Data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The lawfulness of the data processing operations that have already taken place remains unaffected by the revocation.

Please note that your data will usually be transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid that contains the EU Standard Contractual Clauses. This ensures that there is a level of protection comparable to that of the EU.

To process activity data, interfaces to Google Cloud services (in the case of GoogleFit) or to AppleHealth or Withings are used within the App User's mobile device. myoncare tools use these interfaces, which are provided by Google, Apple and Withings, to request activity data from the connected health applications. The enquiry sent by myoncare tools does not contain any personal data. Personal data is made available to the myoncare tools via these interfaces.

DURATION OF STORAGE OF PERSONAL DATA IN ACCORDANCE WITH GDPR

We will retain your personal data for as long as it is needed for the purpose for which it is processed. Please note that numerous retention periods require the continued storage of personal data. This applies in particular to retention obligations under commercial or tax law.

Please note that ONCARE is also subject to retention obligations, which are contractually agreed with you based on the legal provisions. In addition, due to the classification and, if applicable, your use of the myoncare portal and the myoncare app as a medical device, certain retention periods apply to the portal, which result from the Medical Devices Act. If there are no other retention obligations, the personal data will be routinely deleted as soon as the purpose has been achieved.

In addition, we may retain personal data if you have given us your consent to do so or if litigation arises and we use evidence within the statutory limitation periods, which can be up to 30 years; the regular limitation period is three years.

SECURE TRANSFER OF PERSONAL DATA

Various personal data are necessary for the establishment, execution and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare portal and the various functions it offers.

AUTOMATED DECISIONS (IN ACCORDANCE WITH GDPR) IN INDIVIDUAL CASES

We do not use purely automated processing to make decisions.

YOUR RIGHTS AS A DATA SUBJECT (UNDER GDPR)

We would like to inform you about your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR and include:

Right of access (Art. 15 GDPR):  You have the right to request information about whether and how your personal data is being processed, including information about the purposes of processing, recipients, storage period and your rights to rectification, erasure and objection. You also have the right to receive a copy of any personal data we hold about you.

Right to erasure / right to be forgotten (Art. 17 GDPR): You can ask us to delete your personal data collected and processed by us without undue delay. In this case, we will ask you to delete the myoncare portal from your computer. Please note, however, that we can only delete your personal data after the expiry of the statutory retention periods.

Right to rectification (Art. 16 GDPR): You can ask us to update or correct inaccurate personal data concerning you or to complete incomplete personal data.

Right to data portability (Art. 20 GDPR): In principle, you can request that we provide you with personal data that you have provided to us and that is processed automatically on the basis of your consent or the performance of a contract with you in machine-readable form so that it can be "ported" to a substitute service provider.

Right to restriction of data processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if the accuracy of the data is contested, the processing is unlawful, the data is needed for legal claims or an objection to the processing is being examined.

Right to object to data processing (Art. 21 GDPR): You have the right to object to our use of your personal data and to withdraw your consent at any time if we process your personal data based on your consent. We will continue to provide our services if they are not dependent on withdrawn consent.

To exercise these rights, please contact us at:  privacy@myoncare.com. Objection and revocation of consent must be declared in text form to privacy@myoncare.com .

We will require you to provide sufficient proof of your identity to ensure that your rights are protected and that your personal data will only be disclosed to you and not to third parties.

Please also contact us at any time at privacy@myoncare.com if you have any questions about data processing in our company or if you would like to withdraw your consent. You also have the right to contact the competent data protection supervisory authority.

SUBMIT A COMPLAINT

If you believe that your privacy has been violated by ONCARE, you may file a complaint with us and the U.S. Department of Health and Human Services in Washington, D.C. There are no disadvantages for you for filing a complaint.  To file a complaint or receive further information, please use the following contact options:

Phone: +49 (0) 89 4445 1156

E-mail: privacy@myoncare.com

Address: Balanstraße 71a

81541 Munich, Germany

Re: Complaint

You can file a complaint with the U.S. Department of Health and Human Services by writing a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201 or calling 1-800-368-1019 (toll-free) or 1-800-537-7697 (TTD) or filing an online complaint at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.

DATA PROTECTION OFFICER (IN ACCORDANCE WITH GDPR)

Our data protection officer is available to answer all data protection questions at privacy@myoncare.com.

CHANGES TO THE PRIVACY POLICY

We expressly reserve the right to change this Privacy Policy in the future at our sole discretion. Changes or additions may be necessary, for example, to meet legal requirements, to comply with technical and economic developments, or to meet the interests of app or portal users.

Changes are possible at any time and will be communicated to you in an appropriate manner and in a reasonable timeframe before they become effective (e.g. by posting a revised Privacy Policy at login or by giving advance notice of material changes).

In case of questions of interpretation or disputes, only the German version of the Privacy Policy shall be binding and authoritative.

ONCARE GmbH

Mailing address

Balanstraße 71a

81541 Munich, Germany

T | +49 (0) 89 4445 1156

E | privacy@myoncare.com

Contact information of the Data Protection Officer

privacy@myoncare.com

Last updated on October 29, 2024

U.S. PRIVACY POLICY

Welcome to myoncare, the digital health portal and mobile app ("App") for efficient and on-demand patient care and support for occupational health management programs.

This Privacy Policy describes how your personal and medical information may be used and shared, and how you can access that information. Please read this Privacy Policy carefully. In this privacy policy, you will learn why and how ONCARE processes your personal health data provided to us if you decide to use the myoncare app.

For us at Oncare GmbH (hereinafter referred to as "Oncare (ONCARE or "we", "us", "our"), the protection of your privacy and the personal data concerning you when using the myoncare app is of great relevance and importance. We are aware of the responsibility that arises from your trust in providing and storing your personal (health) data in the myoncare app. Therefore, our technology systems used for the myoncare services are set up to the highest standards and the lawful processing of the data is at the core of our ethical understanding as a company.

Any information we hold that is provided by your healthcare providers is Protected Health Information (PHI) and/or other medical information. These are protected by certain laws, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA). We have a legal obligation to protect the privacy and security of protected health information. We constantly strive to protect health information through administrative, physical, and technical means, and otherwise comply with applicable federal and state laws.

The use and disclosure of such PHIs is in accordance with applicable privacy policies and applicable laws. To understand in more detail how we process and share these PHIs, you should read this Privacy Policy carefully.

Please read the Privacy Policy carefully to ensure that you understand each provision. After reading the Privacy Policy, you have the opportunity to agree to the Privacy Policy and consent to the processing of your personal (health) data as described in the Privacy Policy. If you give your consent, the Privacy Policy becomes part of the contract between you and ONCARE. We guarantee the rights and obligations described in this Privacy Policy. We use and process your data in accordance with the provisions of this privacy policy.

According to the terms of use, our offer is only aimed at persons aged 18 and over. Accordingly, no personal data of children and adolescents under the age of 18 is stored and processed.

DEFINITIONS

"app user" means any user of the myoncare App (Patient and/or Employee).

"blockchain technology" The myoncare system contains an additional database in which the data of all installations is stored.

"company" means your employer if you and your employer use myoncare tools for the employer's occupational health management.

"covered entity" means a health plan, health care clearinghouse, or healthcare provider that submits health information in electronic form in connection with a transaction that falls under HIPAA.

"data service provider" means any agent engaged and instructed by the Company to collect, review and interpret pseudonymized or anonymized employee data in occupational health management programs on the basis of a separate service agreement with the Company (e.g., data analyst, general health prevention services, data evaluation services, etc.), which is provided by a separate information sheet to employees.

"EU General Data Protection Regulation". The General Data Protection Regulation (GDPR) is a European data protection law. The regulation came into force on 25 May 2018 and aims to harmonise data protection across all member states and give citizens more control over their personal data. The GDPR applies to all companies and organizations that operate in the EU or process personal data of EU citizens, regardless of whether the company is located inside or outside the EU. The GDPR also applies to you as a US citizen because Oncare is based in Germany.

"healthcare provider" means your physician, clinic, healthcare facility, or other healthcare professional acting alone or on behalf of your physician, clinic, or healthcare facility.

"pathway" is a standardized treatment plan that can determine the steps for diagnoses and therapies. "care tasks" are specific tasks or actions within a pathway that must be performed by the healthcare providers involved, the nursing staff or the patient himself.

"health information" means all information, including genetic information, whether recorded orally or in any form or on any medium, and which

- processed or transferred by a healthcare provider, health plan, health authority, employer, life insurer, school or university, or health clearing house; and

- relates to the past, present or future physical or mental health of a person or any health condition in connection with medical treatment of the person, as the case may be;

- the past, present or future fee remuneration for a person's health care. "Protected Health Information" or "PHI" means individually identifiable health information that

(i) is transmitted via electronic media;

(ii) are maintained in electronic media; or

(iii) transmitted or maintained in any other form or medium.

"Health Insurance Portability and Accountability Act," The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that provides for the creation of national standards to protect patients' sensitive health information from unauthorized disclosure without their consent or knowledge. The HIPAA requirements apply to the use and disclosure of health information of individuals by institutions subject to the HIPAA Act. These individuals and organizations are referred to as "covered entities."

"myoncare PWA App" means the myoncare Progressive Web App application for patients who wish to use the services offered by ONCARE via the PWA App and not via the myoncare App.

"myoncare Portal" is the myoncare web portal, which is intended for professional use by portal users and serves as an interface between portal users and app users.

"myoncare services" means the services, functionalities and other offers that are or may be offered to Portal Users via the myoncare portal and/or to app users via the myoncare app.

"myoncare tools" means the myoncare app and the myoncare portal together.

"ONCARE" or "we" means ONCARE GmbH, based in Germany.

"portal user" means any healthcare provider, company or data service provider using the web-based myoncare Portal.

"Privacy Policy" means this statement given to you as a patient or employee and user of the myoncare app, which describes how we collect, use and store your personal data and informs you of your rights.

"myoncare app" means the myoncare mobile app for use by patients or employees who wish to use the services offered by ONCARE.

"Terms of Use" means the terms of use for the use of the myoncare App.

COMPLIANCE WITH LAWS

Oncare GmbH, a company registered with the District Court of Munich under registration number 219909 with its registered office at Balanstraße 71a, 81541 Munich, Germany, offers the mobile application myoncare App and operates it as access to the myoncare services. This privacy policy applies to all personal data processed by ONCARE in connection with the use of the myoncare app.

ONCARE is a "business associate" within the meaning of HIPAA that provides services and health plans to healthcare providers referred to as "covered entities" within the meaning of HIPAA; ONCARE concludes business partner agreements with these covered companies. ONCARE will only process and share the PHIs under the terms of the Agreements and HIPAA.

We are required by U.S. law to maintain the privacy and security of your protected health information.

We are required by U.S. law to follow laws designed to protect the privacy and security of protected health information. We will inform you immediately if a breach (so-called data breach) occurs that could have endangered the privacy or security of (health) information.

We must comply with the obligations and content described in this Privacy Policy and provide you with a copy of the Privacy Policy upon request.

No identifiable personal (health) information will be sold.

We will not use or share your information other than as described here, unless you tell us that we are allowed to do so.

U.S. Privacy Policy, U.S. federal and state laws may impose additional restrictions on the sharing of your health information in connection with medical treatment for drug or alcohol abuse, sexually transmitted diseases, genetic information, or mental health treatment programs. If relevant laws apply, we will obtain your consent before sharing or processing this data.

WHAT IS PERSONAL DATA WITHIN THE MEANING OF THE GDPR

We process your personal data in accordance with the applicable legal provisions on the protection of personal data, in particular the EU General Data Protection Regulation and the country-specific laws that apply to us. You will find a description of the personal data we collect and process, as well as the purpose and basis on which we process the personal data and the rights to which you are entitled.

"Personal data" means any information that allows a natural person to be identified. In particular, this includes your name, birthday, address, telephone number, email address and IP address.

"Health data" means personal data relating to the physical or mental health of a natural person, including the provision of health services that reveal information about their health status.

Data is considered "anonymous" if no personal reference to the person/user can be established. In contrast, "pseudonymized" data is data in which personal reference or personal data is replaced by one or more artificial identifiers or pseudonyms, but which can generally be reidentified by the identifier key (within the meaning of Art. 4 No. 5 GDPR).

myoncare PWA-App

A progressive web app (PWA) is a website that looks and has the functionality of a mobile app. PWAs are built to take advantage of the native features of mobile devices without the need for an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing the benefits of native mobile apps into the browser. The PWA is based on the technology of "React Native for Web". "React Native for Web" is an open-source software for PWA applications.

To use the myoncare PWA, patients need a computer or smartphone and an active internet connection. There is no need to download an app.

Some of the myoncare app services cannot be used within the myoncare PWA, see the description below for details. These are the following services or specifications:

- Chat with healthcare providers;

- Video;

- Security PIN codes;

- Activity data tracking (e.g. via AppleHealth, GoogleFit, Withings).

The following information about the myoncare app also applies to the myoncare PWA, unless otherwise described in this section

WHAT PERSONAL DATA IS USED WHEN USING THE MYONCARE APP

We use and share your health information for usual business activities that fall into the categories of treatment and healthcare under the law. We may process the following categories of data about you when using the myoncare app:

Operational data: Personal data that you provide to us when registering in our myoncare app, contacting us about problems with the app or otherwise interacting with us for the purpose of using the app.

Treatment data: You or your healthcare provider enter personal data such as name, age, height, weight, indication, symptoms of illness and other information in connection with your treatment (e.g. in a care plan) with the support of the myoncare app. Information related to your treatment includes, but is not limited to: information about medications taken, questionnaire responses including disease- or condition-related information, diagnoses and therapies provided by your healthcare provider , planned and completed tasks).

Activity data: Personal data that is processed by us if you connect the myoncare app to a health app (e.g. GoogleFit, AppleHealth, Withings). Your activity data will be transferred to your affiliated healthcare providers as portal users.

Commercial and non-commercial research data: We process your personal data in anonymized/pseudonymized form in order to analyze and produce summary scientific reports in order to improve products, treatments and scientific results.

Product safety data: Personal data that is processed to comply with our legal obligations as the manufacturer of the myoncare app as a medical device. In addition, your personal data may be processed by medical device or pharmaceutical companies to meet legal security or vigilance objectives.

Reimbursement Information: Personal data required for the reimbursement process between your myoncare healthcare provider and your health insurance company.

Occupational health management data: Personal or aggregated data collected in specific projects and questionnaires at the request of the company (either directly or through a data service provider contracted by the company). The data may relate to certain health information, your opinion about your personal well-being, your opinion as an employee about a particular internal or external situation, or data about care or health in general.

BLOCKCHAIN-TECHNOLOGY

Blockchain technology ("Blockchain") (European Patent No. 4 002 787) is an optional service that is not mandatory. It is up to you, the service provider, to decide to use the blockchain solution. The blockchain is based on Hyperledger Fabric's technology. Hyperledger Fabric is an open-source software for enterprise-level blockchain implementations. It offers a scalable and secure platform that supports blockchain projects.

The blockchain in the myoncare system is an additional database that stores data from the application. All blockchain data is stored in the Federal Republic of Germany. It is a private blockchain ("Private Blockchain"), it only allows the input of selected verified participants, and it is possible to overwrite, edit or delete entries as needed.

Generally, the blockchain consists of digital data in a chain of packets called "blocks" that store the corresponding transactions. The way these blocks are connected to each other is chronological. The first block that is created is called the genesis block, and each block added after that has a cryptographic hash related to the previous block, allowing transactions and changes of information to be traced back to the genesis block. All transactions within the blocks are validated and verified through a blockchain consensus mechanism to ensure that each transaction is unchanged.

Each block contains the list of transactions, a timestamp, its own hash, and the hash of the previous block. A hash is a function that converts digital data into an alphanumeric chain. In this case, the block can no longer be synchronized with the others. If an unauthorized person tries to change the data of a single block, the hash of the block would also change and the link to that block would be lost. If all nodes (network nodes) attempt to synchronize their copies, it is detected that a copy has been modified, and the network deems that node to be faulty. This technical process prevents unauthorized persons from manipulating the contents of the blockchain chain.

Our blockchain is a private blockchain. A private blockchain is decentralized. It is a so-called distributed ledger system (digital system for recording transactions), which functions as a closed database. Unlike public blockchains, which are "unauthorized," private blockchains are „authorized" because authorization is required to become a user. In contrast to public blockchains, which are publicly accessible to everyone, access to private blockchains is dependent on authorization in order to become a user. This structure makes it possible to take advantage of the security and immutability of blockchain technology while being data protection compliant, and in particular to comply with the regulations of the General Data Protection Regulation (GDPR). Private blockchain records can be edited, altered, or deleted; deletion in this context means that the reference value to the UUID (Universally unique identifier) in the database of the service provider is deleted. In addition, the hash is anonymized in the blockchain database, with the result that this overall process is compliant with the General Data Protection Regulation and the rights of a data subject are guaranteed (right to erasure "right to be forgotten", Art. 17 GDPR).

Type of data stored and processed in the blockchain:

- Patients-UUID

- Institutions/Leistungserbinger UUID

- Asset-UUID

- Hash of caretask and asset data.

(UUID: Universal Unique Identifier).

The data stored in the blockchain is pseudo-anonymized.

Our blockchain is designed to ensure data privacy in terms of data integrity, patient profile, assets, and assigned care tasks and medications. To communicate with the blockchain, the user must register a series of public-private keys. To communicate with the blockchain, the user needs several public-private keys; the registration process generates certificates that are stored in a separate database of the healthcare provider and on the patient's mobile phone. A backup copy of the patient key is encrypted and stored in the healthcare provider's database, which can only be accessed by the patient.

When verifying consent to data protection, in the event that the healthcare provider wants to communicate with the patient, the system checks whether the patient has given consent to the Provider's Privacy Policy. The blockchain therefore serves to ensure the integrity and accountability of the record to ensure that the patient has accepted the privacy policy.

When a healthcare provider uploads a new version of a privacy policy, the hash of the file is stored on the blockchain, and after the patient agrees to the privacy policy, that interaction is stored on the blockchain. Every time it communicates with the patient, the blockchain responds by comparing the hash with a flag that indicates whether the patient's consent is still valid for the current privacy policy.

The integrity of the patient profile is also ensured by the blockchain in patient synchronization. The healthcare provider immediately recognizes if the patient profile does not synchronize or match the profile on the mobile phone by comparing the hash of the patient profile in the blockchain. In this way, the healthcare provider achieves sufficient up-to-dateness with regard to the patient profile.

myoncare Portal:

If the service provider decides to use the blockchain solution, ONCARE implements an additional tool, called "Adapter Service", which is used to communicate with the blockchain. The blockchain instance is hosted by ONCARE.

myoncare App:

Patients can connect to the same blockchain instance using the Phone Manager tool, which is also hosted by ONCARE. This service is also hosted by ONCARE.

Justification of processing: The processing of data by ONCARE on behalf of the healthcare provider is carried out on the basis of Art. 28 GDPR (order processing agreement).

OPERATIONAL DATA PROCESSING

Applicable to all app users

You may provide us with certain personal information when you contact us to understand or discuss the features and use of the app, or in the event of a service request.

In the event of a service request, the following personal data can also be viewed by authorized ONCARE employees:

- the personal data that you have provided to your healthcare provider via our app (e.g. name, date of birth, profile picture, contact details);

- the health information that you have provided to your healthcare provider, the data service provider or the company via our myoncare app (e.g. information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies by healthcare professionals, planned and completed tasks).

Authorized ONCARE employees who may access the database of your service provider, data service provider or company for the purpose of processing a service request are contractually obliged to keep all personal data strictly confidential.

When the myoncare app is downloaded, the necessary information is transmitted to the app store provider. We have no control over this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare apps and services.

When processing operational data, ONCARE acts as a data controller responsible for the lawful processing of your personal data.

Types of data: your name, email address, date of birth, date of registration, pseudo-keys generated by the app; Device tokens to identify your device, your pseudo-identification number, your IP address, type and version of the operating system used by your device.

The app uses Google Maps API to use geographic information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. You can find more detailed information about the scope, legal basis and purpose of data processing by Google as well as the storage period in the Google Privacy Policy.

In our organization, we ensure that only those persons who are obliged to do so in order to fulfil their contractual and legal obligations are entitled to process personal data. Your personal data and health data that you enter into our myoncare app will be made available to your service provider and/or company either directly or via a data service provider (depending on the type of use of the myoncare tools).

GDPR rules: The processing of company data is justified on the basis of Art. 6 para. 1 lit. b GDPR for the performance of the contract that you conclude with ONCARE for the purpose of using the myoncare app.

IP GEOLOCATION

IP Geolocation: We use a geolocation application for our Services. We use ipapi (provided by apilayer Data Products GmbH, Elisabethstraße 15/5, 1010 Vienna, Austria) and Geoapify (provided by Keptago Ltd., N. Nikolaidi and T. Kolokotroni ONISIFOROU CENTER 8011 Paphos, Cyprus) to identify the location of patient users. We use it to secure our applications and to verify the location of the patient user to ensure that the use of our services is compliant. We do not combine the information we collect with any other information about the user that could identify them. The data processed by apilayer includes the patient's IP address and other details about the location. The legal basis for their use is Art. 6 (1) (f) GDPR. The data will be deleted when the associated purpose for which it was collected no longer exists and there is no longer a legal obligation to store it. For more information on their privacy policy, please see https://ipapi.com/privacy/ and Privacy Policy | Geoapify location platform.

PROCESSING OF (TREATMENT) DATA

Applicable to app users who use the app with their service provider

While using the myoncare app, your service provider enters your personal data into the myoncare portal in order to start myoncare services (e.g. provision of an individual care plan, reminder to take medication, etc.). In addition, you and your service provider can upload documents and files to the myoncare app and the myoncare portal and share them with each other. Your healthcare provider may upload a privacy policy for your information and define other consent requirements for you as a patient for which your consent must be given. The files are stored in a cloud database in Germany. Your healthcare provider may allow the sharing of such files with other Portal Users within its institution for medical purposes. Other portal users do not have access to these files.

We use and process your health information only for the operational activities permitted by HIPAA and other federal laws.

We process such personal data, including your health data, under an agreement with and in accordance with the instructions of your healthcare provider. For the purposes of this Agreement, the healthcare provider is responsible for the processing of your personal data and health data within the meaning of applicable data protection laws as a data controller, and ONCARE is the data processor of such personal (health) data. This means that ONCARE processes personal data only in accordance with the instructions of the healthcare provider. If you have any questions or concerns about the processing of your personal data or health data, you should contact your healthcare provider in the first place.

PROCESSING OF ACTIVITY DATA

Only applicable if you agree to and activate the activity data transfer via myoncare tools

myoncare tools offer you the option of connecting the myoncare app with certain health apps (e.g. AppleHealth, GoogleFit, Withings) that you use ("health app"). If the connection is established after you have given your consent, activity data collected by the Health Application will be made available to your healthcare providers for the purpose of providing additional, contextual information regarding your activity. In order to enable activity data processing, we will obtain your consent to the processing in advance. Please note that activity data is not validated by myoncare tools and should not be used by your healthcare provider for diagnostic purposes as a basis for medical decision-making. Please also note that your healthcare providers are not obliged to verify your activity data and do not have to give you any feedback regarding your activity data.

Activity data is shared with your affiliated healthcare providers every time the myoncare app is accessed. You can revoke your consent to share activity data at any time in the settings of the myoncare app. Please note that your activity data will not be shared from this point on. Activity data that has already been shared will not be deleted from the myoncare portal of your affiliated serv healthcare providers.

The processing of activity data falls under your own data responsibility.

Types of data: The type and amount of data transferred depend on your decision and the data available in your connected Health app. Data may include weight, height, steps taken, calories burned, hours of sleep, heart rate, and blood pressure, among others.

Purpose of processing activity data: Your activity data will be made available to your healthcare providers with whom you are connected for the purpose of providing additional, contextual information regarding your activity.

Justification of processing: The processing of activity data is your own responsibility.

PROCESSING OF PRODUCT SAFETY DATA

Applicable for app users whose service provider uses the medical device variant of the myoncare tools

The myoncare app is classified and marketed as a medical device according to the European medical device regulations. As the manufacturer of the app, we must comply with certain legal obligations (e.g. monitoring the functionality of the app, evaluating incident reports that could be related to the use of the app, tracking users, etc.). In addition, the myoncare app allows you and your healthcare provider to communicate and collect personal data about certain medical devices or medicines used in your treatment. The manufacturers of such medical devices or medicinal products also have legal obligations regarding market surveillance (e.g. collection and evaluation of adverse reaction reports).

Types of data: case reports, personal data provided in an incident report, and results of the evaluation.

Processing of product safety data: We will store and evaluate all personal data related to our legal obligations as a manufacturer of a medical device and transmit such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with monitoring obligations. In addition, we will store and transfer personal data in connection with medical devices and/or medicines if we receive notices from your service provider, from you as a patient or from a third party (e.g. our distributors or importers of the myoncare tools in your country) that must be reported to the manufacturer of the product in order for the manufacturer to comply with its legal obligations on product safety .

GDPR rules

ONCARE is the data controller for the processing of product safety data.

The legal basis for the processing of personal data for the fulfilment of legal obligations as a medical device or medicinal product manufacturer is Art. 9 para. 2 lit. i GDPR in conjunction with the monitoring obligations existing after placing on the market under the Medical Devices Act and the Medical Devices Directive (regulated as of 26 May 2021 in Chapter VII of the new Medical Devices Regulation (EU) 2017/745) and/or the Medicines Act.

PROCESSING OF OCCUPATIONAL HEALTH MANAGEMENT DATA

Applicable to users of the app who use the app with the company's occupational health management

During the use of the myoncare app in the company’s occupational health management, certain personal (health) data is passed on in aggregated form as data for occupational health management to the company and the data service providers commissioned by the company (e.g. data analysts or research companies). Neither the company nor any data service provider can assign such data to your identity. ONCARE recommends not to share any personal data during the use of myoncare services as part of occupational health management.

This means that ONCARE and all data service providers will only process the data for occupational health management in accordance with the company's instructions. We process such data for occupational health management, including your health data, on the basis of an agreement with the company and/or a data service provider and in accordance with their instructions. For the purposes of this Agreement, the Company is the data officer responsible for the processing of your Occupational Health Management Data and ONCARE and any data service providers engaged by your company, if any, are the processors of such data. If you have any questions or concerns about the processing of your data for occupational health management, you should contact the company in the first place.

Data processing: We process your company health management data in order to be able to provide our myoncare services for the company and for you. Your occupational health management data, which you enter in our myoncare app, will be used by the company (either directly or via a data service provider) as part of occupational health management. We process this personal data under an agreement with and in accordance with the instructions of your healthcare provider. The transmission of this treatment data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your service provider.

GDPR rules

Your data for occupational health management will be processed by the company in accordance with the provisions of the GDPR and all other applicable data protection regulations. The legal basis for data processing is, in particular, your consent in accordance with Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR or another norm applicable to the company. The processing of data by ONCARE to the company (either directly or via a service provider commissioned by the company) is also based on Art. 28 GDPR (Data Processing Agreement).

The company, as the data officer, is responsible for obtaining your consent if required by data protection regulations and for processing the data for occupational health management purposes in accordance with applicable data protection laws.

WHAT TECHNOLOGY IS USED BY THE MYONCARE PORTAL AND THE MYONCARE APP?

The myoncare portal works as a web-based tool for which you need a working internet connection and any current version of the internet browser Chrome, Firefox or Safari.

E-mail service

We use Brevo (provided by Sendinblue GmbH, located at Köpenicker Straße 126, 10179 Berlin) and Sendgrid (provided by Twilio Inc., 1801 California Street Suite 500, Denver, CO 80202, USA). These e-mail services can be used to organize the sending of e-mails. Sendgrid is used to send confirmation emails, transaction confirmations, and emails with important information related to requests. The data you enter for the purpose of receiving e-mails is stored on Sendgrid's servers. When we send emails on your behalf through SendGrid, we use an SSL secured connection.

Email communication is used for the following tasks:

- Logging in to the web application for the first time;

- Workflow to reset the password for the web application;

- Create an account for the patient application;

- Reset the password for the patient application;

- Generation and sending of a report;

- Replace push notifications with emails for PWA (Progressive Webapp) in the following cases:

(i) If a Care Plan ends within one day;

(ii) if medication has been assigned;

(ii) when the Privacy Policy has been updated;

(iv) when an appointment is sent to patients and physicians, especially for the "video call" appointment type;

(v)All information about a caretask or when a healthcare provider has assigned a caretask.

Important Explanations of Push Notifications and Emails

As part of your support by myoncare, we would like to inform you about how we handle notifications and important information that we send you.

  1. Push notifications:
  • We send you push notifications via our myoncare PWA (Progressive Webapp) and the myoncare app to inform you about tasks, appointments and important updates.
  • You have the option to disable these push notifications in your app's settings.
  1. Email notifications:
  • Whether you have enabled or disabled push notifications, we will continue to send you important information and reminders via email.
  • This ensures that you don't miss any important notifications and that your support runs smoothly.

Why we do this:

  • Our goal is to keep you informed about your tasks and important updates to best support your health.
  • Emails are a reliable way to ensure that important information reaches you, even when push notifications are disabled.

Your options for action:

  • If you do not want to receive push notifications, you can deactivate them in the settings of the myoncare app.
  • Please ensure that your email address is accurate and up-to-date to ensure the smooth receipt of our messages.
  • If you do not want to receive email reminders, you can deactivate them in the settings of the myoncare app.

Storage period

The data you provide to us to receive emails will be stored by us until you log out of our services and will be deleted from both our servers and Sendgrid's servers after you log out.

Brevo (Privacy Policy):Brevo (Privacy Policy):Privacy Policy - Personal Data Protection | Brevo

SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/ .

Matomo

This is an open-source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transmit data to servers outside of ONCARE's control. Matomo is initially disabled when you use our services. Only if you agree, your user behavior will be recorded anonymously. If deactivated, a "persistent cookie" will be stored, provided that your browser settings allow it. This cookie signals to Matomo that you do not want your browser to be recorded.

The usage information collected by the cookie is transmitted to our servers and stored there so that we can analyze user behavior.

The information generated by the cookie about your use is:

- User Role;

- User geolocation;

- Browser;

- User-OS;

- IP address;

- Sites visited via web / PWA (for more information, see the section on PWA in this Privacy Policy);

- buttons that the user clicks on in the myoncare portal, in the myoncare app and in the myoncare PWA;

- time that the user has used content.

The information generated by the cookie will not be passed on to third parties.

You can refuse the use of cookies by selecting the appropriate settings in your browser. However, please note that you may not be able to use all the features in this case. For more information, see: https://matomo.org/privacy-policy/ .

The legal basis for the processing of users' personal data is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing of users' personal data enables us to analyze usage behavior. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and their usability.

We process and store personal data only for as long as is necessary to fulfil the intended purpose.

SECURE TRANSFER OF PERSONAL DATA

We use appropriate technical and organizational security measures to optimally protect the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in cooperation with security experts and adapted to new security standards.

The data exchange to and from the app is encrypted. We use TLS and SSL as encryption protocols for secure data transfer. The data exchange is also encrypted throughout and is carried out with pseudo-keys.

DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES

We will only pass on your personal data to third parties within the framework of the legal provisions or on the basis of your consent. In all other cases, the information will not be disclosed to third parties, unless we are obliged to do so due to mandatory legal regulations (disclosure to external bodies, including supervisory or law enforcement authorities). Any transmission of personal data is encrypted during transmission.

We will only share information and data about you if required to do so by state or U.S. federal law; this includes requests from the Department of Health and Human Services if the agency wishes to verify compliance with U.S. federal law. We may also process and share your health data in order to:

- compliance with federal, state or local laws;

- To provide support for public health activities, such as illness or the use of medical equipment;

- to provide authorities with information to protect victims of abuse or neglect;

- Compliance with federal and state health oversight activities, such as fraud investigations;

- To enforce law enforcement or court orders, subpoenas, or other related sovereign actions;

- Conducting research on internal review protocols to ensure a balance between privacy and research needs;

- Averting a serious threat to health or safety.

GENERAL INFORMATION ON CONSENT TO DATA PROCESSING

Your consent also constitutes consent to data processing under data protection law. Before granting your consent, we will inform you about the purpose of the data processing and your right to object. If the consent also relates to the processing of special categories of personal data, the myoncare app will expressly inform you of this as part of the consent procedure.

For the data processing for which your consent is required (as explained in this Privacy Policy), consent will be obtained as part of the registration process. After successful registration, the consents can be managed in the account settings of the myoncare app.

GDPR rules

Processing of special categories of personal data pursuant to Art. 9 para. 1 GDPR may only take place if this is required by law and there is no reason to assume that your legitimate interests preclude the processing of this personal data or that you have given your consent to the processing of this personal data in accordance with Art. 9 para. 2 GDPR.

DATA RECIPIENTS / CATEGORIES OF RECIPIENTS

In our organization, we ensure that only those individuals are authorized to process personal data that are necessary to fulfill their contractual and legal obligations. Your personal data and health data that you enter in our myoncare app will be made available to your healthcare provider and/or company either directly or via a data service provider (depending on the type of use of the myoncare tools).

In certain cases, service providers support our specialist departments in the fulfilment of their tasks. The necessary data protection agreements have been concluded with all service providers who are data processors for the personal data. These service providers are Google (Google Firebase), cloud storage providers and support service providers.

Google Firebase is a "NoSQL database" that enables synchronization between your healthcare provider's myoncare portal and the myoncare app. NoSQL defines a mechanism for storing data that is not only modeled in tabular relationships by allowing easier "horizontal" scaling compared to tabular/relational database management systems in a cluster of machines.

For this purpose, a pseudo-key of the myoncare app is stored in Google Firebase together with the corresponding care plan. The data transfer is pseudonymised for ONCARE and its service providers, which means that ONCARE and its service providers cannot establish a relationship with you as a data subject. This is achieved by encrypting the data during the transfer between you and your service provider or company (either directly or to any data service provider) and by using pseudo-keys instead of personal identifiers such as name or email address to track these transfers. Re-identification takes place as soon as the personal data has reached the account of your service provider or company in the myoncare portal or your account in the myoncare app, after it has been verified by specific tokens.

Our cloud storage providers offer a range of cloud storage services in which the Firebase manager, which manages the Firebase URLs for the myoncare portal, is stored. In addition, these service providers provide the isolated server domain of the myoncare portal, in which your personal data is stored. It also hosts myoncare's video and file management services, which enable encrypted video conferences between you and your healthcare provider as well as the exchange of files. Access to your personal data by you and your healthcare provider is ensured by sending specific tokens. This personal data is encrypted during transfer and at rest and pseudonymized for ONCARE and its service providers. ONCARE service providers do not have access to this personal data at any time.

Furthermore, we use service providers to process service requests (support service providers) regarding the use of the account, for example, if you have forgotten your password, want to change your stored e-mail address, etc. The necessary order processing agreements have been concluded with these service providers; furthermore, the employees entrusted with the processing of service requests were trained accordingly. Upon receiving your service request a ticket number will be assigned to it.

If it is a service request regarding your account usage, the relevant information that you have provided to us when contacting us will be forwarded to one of the authorized employees of the external service. They will then contact you.

Otherwise, it will remain processed by specially approved ONCARE staff, as described under "PROCESSING OF OPERATIONAL DATA".

Through our support service providers, we use the tool RepairCode, also known as Digital Twin Code which is a customer experience platform for handling external feedback with the ability to create support tickets. Here you will find the

Privacy Policy: https://app.repaircode.de/?main=main-client – Legal/privacy.

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

Personal data will only be transferred to third countries if this is necessary for the fulfilment of the contractual obligation, is required by law or you have given us your consent.

The synchronization of the myoncare app and the myoncare portal takes place via Google Firebase. The Google Firebase server is hosted in the European Union. However, as described in the Google Firebase Terms of Use, short-term data transfers to countries in which Google or its service providers are located are possible; for certain Google Firebase services, data is only transferred to the USA, unless processing takes place in the European Union or the European Economic Area. Unlawful access to your data is prevented by end-to-end encryption and secure access tokens. Our servers are hosted in Germany. For analysis purposes, the emails sent with SendGrid contain a so-called "tracking pixel" that connects to Sendgrid's servers when the email is opened. This can be used to determine whether an e-mail message has been opened.

GDPR - Rules

Data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The lawfulness of the data processing operations that have already taken place remains unaffected by the revocation.

Please note that your data will usually be transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid that contains the EU Standard Contractual Clauses. This ensures that there is a level of protection comparable to that of the EU.

To process activity data, interfaces to Google Cloud services (in the case of GoogleFit) or to AppleHealth or Withings are used within the App User's mobile device . myoncare tools use these interfaces, which are provided by Google, Apple and Withings, to request activity data from the connected health apps. The enquiry sent by myoncare tools does not contain any personal data. Personal data is made available to the myoncare tools via these interfaces.

DURATIONOF STORAGE OF PERSONAL DATA IN ACCORDANCE WITH THE GDPR

We will retain your personal data for as long as it is needed for the purpose for which it is processed. Please note that numerous retention periods require the continued storage of personal data. This applies in particular to retention obligations under commercial or tax law (e.g. Commercial Code, Tax Act, etc.). In addition, your healthcare provider must also ensure the retention of your medical records (between 1 and 30 years, depending on the type of documents).

In addition, and only if your service provider uses the medical device variant of the myoncare tools, certain retention periods resulting from the Medical Devices Act apply due to the classification of the myoncare app as a medical device. Please note that ONCARE is also subject to retention obligations that are contractually agreed with your service provider on the basis of the legal provisions. If there are no other retention obligations, the personal data will be routinely deleted as soon as the purpose has been achieved.

In addition, we may retain personal data if you have given us your consent to do so or if litigation arises and we use evidence within the statutory limitation periods, which can be up to 30 years; the regular limitation period is three years.

TRANSFERS OF PERSONAL DATA

Various personal data are necessary for the establishment, execution and termination of the contractual relationship and the fulfilment of the associated contractual and legal obligations. The same applies to the use of our myoncare app and the various functions it offers.

We have summarized the details for you under the point above. In certain cases, personal data must also be collected or made available in accordance with the legal provisions. Please note that without providing this personal data, it is not possible to process your request or fulfil the underlying contractual obligation.

ACCESS RIGHTS

In order for the myoncare app to work on your device, the app must be given various permissions to access certain functions of the device. For all devices, regardless of the operating system used, it is necessary to grant the app certain permissions, which we call "basic access rights". If applicable, we will list them in order of the operating system (Android or iOS) according to the "basic conditions". Depending on the operating system of the device you are using, it may have additional features that require additional permissions for the app to work.

The basic access rights (Android and iOS) are:

Get Wi-Fi connections

Required to ensure the functionality of document download in conjunction with Wi-Fi connections.

Get Network Connection

Required to ensure the functionality of document download in conjunction with network connections that are not Wi-Fi connections.

Deactivate screen lock (prevent stand-by mode)

Required so that the videos that belong to the provided documents can be played directly in the app without being interrupted by a screen lock.

Access to all networks

Access to all networks is required to download documents.

Turn off sleep mode

This is necessary so that the videos that belong to the provided documents can be played directly in the app without the playback being interrupted by the occurrence of hibernation.

Mobile Data / Access to Mobile Data

If the user wants to download documents exclusively via Wi-Fi, he can make the appropriate setting in the app's menu and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of disabling document downloads over mobile data.

Access to the camera

Camera access is required for scanning QR codes as well as for video consultations.

Access to the microphone

Microphone access is required for video consultations.

Access files and photos

This is required for the exchange of files between you and your connected portal users.

Access to web browsers

This is necessary to view received files from your connected portal users.

We use push notifications, which are messages that are sent to your mobile device as a service of the myoncare app via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The Service Provider's Privacy Policy governs the access, use, and disclosure of personal information as a result of your use of these services.

AUTOMATED DECISIONS IN INDIVIDUAL CASES IN ACCORDANCE WITH THE GDPR

We do not use purely automated processing to make decisions.

YOUR HIPAA RIGHTS

Under HIPAA, you have the following rights:

- Viewing and copying certain portions of your health information. You can request that your health data be made available to you in electronic form. A copy or summary of your health information will be provided to you, usually within 30 days of your request. A reasonable processing fee may be charged.

- You can request that the contents of your health information be changed if you believe that the health information is incorrect or incomplete. You can request correction of health information if you believe it is inaccurate or incomplete.

- Establish mandatory disclosures of your health information for the past six years, with restrictions on treatment, reimbursement, and treatment. A reasonable processing fee may be charged.

- You can request that certain health information that includes treatment, royalty payments or other medical topics may not be used or shared.

- You may request a paper copy of the Privacy Policy at any time, even if you have agreed to receive the notice only electronically.

- File a complaint with the competent authority if you believe that your data protection rights have been violated. You may file a complaint with the U.S. Department of Health and Human Services by mailing a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, by phone at 1-800-368-1019 (toll-free) or 1-800-537-7697 (TTD), or by visiting https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf .

Many U.S. states have enacted their own laws to protect patients' rights, which apply to patients of physicians and/or hospitals and other healthcare facilities. Some of these U.S. states require physicians to provide a copy of these patient rights to their patients.

YOUR RIGHTS AS A DATA SUBJECT UNDER GDPR

We would like to inform you about your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR and include:

Right to information (Art. 15 GDPR): You have the right to request information about whether and how your personal data is being processed, including information about the purposes of processing, recipients, storage period and your rights to rectification, erasure and objection. You also have the right to receive a copy of any personal data we hold about you.

Right to erasure / right to be forgotten (Art. 17 GDPR): You can ask us to delete your personal data collected and processed by us without undue delay. In this case, we will ask you to delete the myoncare app including your UID (Unique Identification Number) from your smartphone/mobile phone.

Right to rectification (Art. 16 GDPR): You can ask us to update or correct inaccurate personal data or to complete incomplete personal data.

Right to data portability (Art. 20 GDPR): In principle, you can request that we provide you with personal data that you have provided to us and that is processed automatically on the basis of your consent or the performance of a contract with you in machine-readable form so that it can be "ported" to a substitute service provider.

Right to restriction of data processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if the accuracy of the data is contested, the processing is unlawful, the data is needed for legal claims or an objection to the processing is being examined.

Right to object to data processing (Art. 21 GDPR): You have the right to object to our use of your personal data and to withdraw your consent at any time if we process your personal data on the basis of your consent. We will continue to provide our services if they are not dependent on withdrawn consent.

To exercise these rights, please contact your service provider or company in the first instance or contact us at: privacy@myoncare.com. We will require you to provide sufficient proof of your identity to ensure that your rights are protected and that your personal data will only be disclosed to you and not to third parties.

Please also contact us at any time at privacy@myoncare.com if you have any questions about data processing in our company or if you would like to withdraw your consent. You also have the right to contact the competent data protection supervisory authority.

SUBMIT A COMPLAINT

If you believe that your privacy has been violated by ONCARE, you may file a complaint with us and the U.S. Secretary of Health and Human Services in Washington, D.C. There are no disadvantages for you for filing a complaint. To file a complaint or receive further information, please use the following contact options:

Phone: +49 (0) 89 4445 1156

E-mail: privacy@myoncare.com

Address: Balanstraße 71a

81541 Munich, Germany

Betr: Complaint

To file a complaint with the U.S. Department of Health and Human Services, write to 200 Independence Ave., S.W., Washington, D.C. 20201 or call 1-800-368-1019 (toll-free) or 1-800-537-7697 (TTD) or file an online complaint at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

DATA PROTECTION OFFICER ACCORDING TO GDPR

Our data protection officer is available to answer all data protection questions at privacy@myoncare.com.

AGE RESTRICTION OF THE APPLICATION

A minimum age of 18 years is required to use the myoncare app. If you are under 18 years of age, your parent or guardian must provide the consent to privacy required to use the app.

CHANGES TO THE PRIVACY POLICY

We expressly reserve the right to change this Privacy Policy in the future at our sole discretion. Changes or additions may be necessary, for example, to meet legal requirements, to comply with technical and economic developments, or to meet the interests of app or portal users.

Changes are possible at any time and will be communicated to you in an appropriate manner and in a reasonable timeframe before they become effective (e.g. by posting a revised Privacy Policy at login or by giving advance notice of material changes).

ONCARE GmbH

Mailing address

Balanstraße 71a

81541 Munich, Germany

T | +49 (0) 89 4445 1156

E | privacy@myoncare.com

Contact information of the Data Protection Officer

privacy@myoncare.com

Last updated on October 30, 2024.

* * * *

Privacy Notice (website) of Oncare

Welcome to our website and thank you for your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (EU GDPR) and the country-specific laws applicable to us, namely the Egyptian Personal Data Protection Law no. 151/2020 (the “PDPL”). With the help of this privacy notice, we inform you comprehensively about the processing of your personal data by ONCARE GmbH (hereinafter referred to as “Oncare”) when using our website and the rights to which you are entitled.

Personal data is any information that makes it possible to identify a natural person. This includes, in particular, your name, voice, photograph, identification number, date of birth, address, telephone number, email address and IP address, or any data referring to your psychological, medical, economic, cultural or social identity. Data is considered anonymous if no personal reference to the individual/ user can be made.

Responsible body and data protection officer

Postal address: Balanstr. 71a 81541 Munich
E | info@myoncare.com

Contact info of the data protection officer

privacy@myoncare.com

Last updated on 25 April 2023.

Your rights as a data subject

We would first like to inform you of your rights as a data subject. These rights are set out in Articles 1 – 22 GDPR, and include:

  • The right of access (Art. 2 (1.) PDPL),
  • The right to rectification (Art. 2 (3.) PDPL),
  • The right to restriction of data processing (Art. 2 (4.) PDPL),
  • Right to be informed of any personal data breach (Art. 2 (5.) PDPL),
  • The right to object and/or revoke consent to data processing (Art. 2 (2.) and (6.) PDPL).

To exercise these rights, please contact: privacy@myoncare.com. The same applies if you have any questions regarding data processing at our company or when you withdraw your consent. You also have the right of appeal to the relevant data protection supervisory authority.

Right to object

Please note the following with respect to your right to object:
When we process your personal data for the purpose of direct marketing, you have the right to object to this data processing at any time without providing the reasons for such objection. This also applies to profiling insofar as it is associated with direct marketing.
If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection is free of charge and can be made in any form, if possible to: privacy@myoncare.com
Should we process your data to protect legitimate interests, you may object to such processing at any time for reasons that arise from your specific situation; this also applies to profiling based on these provisions.

We will then cease to process your personal information unless we can demonstrate compelling legitimate grounds for processing such information that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.

Purposes and legal bases of data processing

The processing of your personal data complies with the provisions of the PDPL and all other applicable data protection regulations. Legal bases for data processing arise in particular from art. 6 PDPL.

We use your data to initiate business, to fulfill contractual and legal obligations, to conduct the contractual relationship, to offer products and services and to consolidate customer relationships, which may include marketing and direct marketing.
Your consent also constitutes permission to data processing under data privacy law. In this respect, we will inform you of the purposes of data processing and your right of objection. If the consent also relates to the processing of special categories of personal data, we will explicitly notify you in the consent process.

Processing of special categories of personal data within the meaning of art. 1 PDPL as well as Art. 12 PDPL may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such data or you have given your consent to the processing of these data according to art. 12 PDPL.

Google services may transfer data to countries outside of the Arab Republic of Egypt (third country data transfer), e.g. to the USA, as part of the processing for the aforementioned purposes. Countries outside of the Arab Republic of Egypt may not offer a level of data protection comparable to that in Egypt. Such countries for which the Commission has not explicitly determined that they provide an adequate level of protection with respect to data privacy are referred to as “unsafe third countries.” There is an increased risk that government authorities may access this data. We have no influence on these processing activities.

Data transfers / Disclosure to third parties

We will only transmit your data to third parties within the scope of given statutory provisions or based on consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).

Data recipients / categories of recipients

In our organisation, we ensure that only individuals who are required to process the relevant data to fulfil their contractual and legal obligations are authorised to handle personal data.
In many cases, service providers assist our specialist departments to fulfil their tasks. The necessary data protection contracts have been concluded with all service providers.

Transfers of personal data to third countries

A transfer of data to third countries (outside the Arab Republic of Egypt) shall only take place if required by law or if you have provided your consent for such a transfer.
We transfer your personal data to service providers or group companies outside Arab Republic of Egypt as follows: United States of America.
In such cases, compliance with the required level of data protection is ensured by Egypt standard contractual clauses, the binding corporate data protection regulations of the service provider according to the established data protection contracts.

Period of data storage

We store your data for as long as such is required for the relevant processing purposes. Please note that numerous retention statutory periods require that data must be stored for a specific period of time. This relates in particular to retention obligations for commercial or fiscal purposes (e.g. commercial code, tax code, etc.). The data will be routinely deleted after use unless a further period of retention is required.
We may also retain data if you have given us your permission to do so, or in the event of any legal disputes and we use the evidence within the statutory limitation period, which may be up to 30 years; the standard limitation period is 5 years.

Secure transfer of data

We implement the appropriate technical and organisational security measures to ensure the optimal protection of the data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.
The data exchange to and from our website is encrypted. We provide https as the transmission protocol for our website and always use the latest encryption protocols. When you use the contact form on our website to get in touch with us, the content is sent via https to a secure server of Site Ground, where the data of the form is stored in an encrypted database. Site Ground employees do not have direct access to this data. It is also possible to use alternative communication channels.

Obligation to provide data

A range of personal data is required to establish, implement and terminate the obligation and the fulfilment of the relevant contractual and legal obligations. The same applies to the use of our website and the various functions we provide.
We have summarised the relevant details in the above point. In some cases, legal regulations require data to be collected or made available. Please note that it will not be possible to process your request or execute the underlying contractual obligation without this information.

Data categories, sources and origin of data

The data we process is defined by the relevant context: it depends on whether, for example, you enter a request on our contact form or if you want to send us an application or submit a complaint.
Please note that we may also provide information at specific points for specific processing situations separately where appropriate, e.g. when downloading our flyer or when making a contact request.
We collect and process the following data when you visit our website:

  • Your IP address which is immediately hashed by removing the last two digits
  • The URL and the title of the page you are viewing
  • The browser (name) you are using
  • Viewport or viewing pane (the size of the browser window)
  • Your screen resolution
  • Whether or not you have Java enabled
  • The language enabled in your browser

For reasons of technical security (in particular to safeguard against attempts to attack our web server), this data is stored in accordance with Article 6 (1) of the PDPL. Anonymisation takes place immediately by abbreviating the IP address so that no reference is made to the user.

WordPress

Oncare uses the web design platform WordPress (WordPress, Org) to manage our website and the provider Site Ground (SiteGround Spain S.L.) to host the website. For more details on the data processed by WordPress and Site Ground see sections ‘Data categories, sources and origin of data’ and ‘Secure transfer of data’ below and the privacy policy of WordPress and Site Ground.

SendGrid

We use Sendgrid for sending emails. The provider is Sendgrid Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Sendgrid is a service with which the sending of emails can be organized. Sendgrid is used to send confirmation emails, transaction confirmations and emails with important information regarding existing requests. The data you enter for the purpose of receiving emails is stored on Sendgrid’s servers. When we send email on your behalf through SendGrid, we use an SSL secured connection.
For the purpose of analysis, the e-mails sent with SendGrid contain a so-called “tracking pixel”, which connects to Sendgrid’s servers when the e-mail is opened. By this, it is possible to determine whether an email message has been opened.

Legal basis

The data processing is based on your consent (Art. 6 para. 1 PDPL). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide us for the purpose of receiving emails will be stored by us until you unsubscribe from our services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe.
Please note that your data is usually transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in Egypt exists.
SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/

Google Fonts

We use Google Fonts provided by Google Inc on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for the European area. We have embedded the Google fonts locally, on our web server – not on Google’s servers. This means that there is no connection to Google servers and therefore no data transfer or storage. This is an interactive directory of over 800 fonts that Google provides free of charge. To prevent any information transfer to Google servers, we have downloaded the fonts to our server. In this way, we act in a privacy compliant manner and do not send any data to Google Fonts.

Cookie Pro

This website uses the cookie consent tool “CookiePro” provided by OneTrust LLC, 1200 Abernathy Rd NE, Sandy Springs, GA 30328, USA (“OneTrust”) to obtain effective user consent for cookies and cookie-based applications. By integrating a corresponding JavaScript code, users are shown a banner when they access the page, in which consent can be given for certain cookies and/or cookie-based applications. The tool blocks the setting of all cookies requiring consent until the respective user gives corresponding consent. This ensures that such cookies are only set on the respective end device of the user if consent has been granted. In order to be able to clearly assign page views to individual users and to individually record, log and store the consent settings made by the user for a session duration, certain user information (including the IP address) is collected by the cookie consent tool when our website is accessed, transmitted to OneTrust servers and stored there.
This data processing is carried out pursuant to Art. 6 (4) PDPL on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website. We, as the controller, are subject to the obligation to make the use of technically unnecessary cookies dependent on the respective user consent.

SEOPress

We use SEOPress plugins on our website, a service provided by SEOPress SAS, 26 allée de Cantau, 64600 Anglet, France. The plugin handles the technical optimization of our websites for search engines and also assists with content development. You can prevent the storage of cookies by selecting the appropriate settings on your browser; we would like to point out that in this case you may not be able to use all functions of this website to their full extent. For more information please visit https://www.seopress.org/privacy-policy/. This data processing is carried out pursuant to Art. 6 PDPL (4) on the basis of our legitimate interest.

Polylang Pro

We use Polylang for the multilingualism of our website. Polylang is a product provided by WP SYNTEX, 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. Polylang cookies are set solely to recognize and record the language used or selected by the user. These cookies are stored for one year and after that period deleted. For more information on data privacy compliance, please visit: https://polylang.pro/privacy-policy/.
This data processing is carried out pursuant to Art. 6 (4) PDPL on the basis of our legitimate interest.

We collect and process the following data as part of a contact request:

  • Name and salutation
  • E-mail address
  • Type of your request
  • Information on your interests and inquiries (your message)
  • Company / organization

We process the following data as part of a job application you send us:

  • Name and salutation
  • Contact details you provide to us
  • Information on your professional career (CV), qualifications and certificates
  • Information you provide during application interviews and our notes thereof
  • The position you applied for, your salary expectations, you expected entry date and in exceptional cases your piece of identification
  • Any other information you provide to us during the application process.

We collect and process the following data in the context of job applications:

  • Last name, first name (maybe also title)
  • Address
  • Contact details (telephone number, e-mail address)
  • If applicable, contact data in electronic communication solutions (e.g. Skye, MS Teams) that you submit to us
  • Qualification data (CV, professional qualifications, work experience)
  • In addition, we use data that we have permissibly obtained from publicly accessible directories (e.g. professional networks).

Thank you for your interest in working for Oncare GmbH. We are aware of the importance of your data and process the personal data you provide us only for the purpose of effective and correct processing and for contacting you as part of the job application process. The data will not be transferred to third parties without your consent.

You will be asked to provide personal information. We observe the principle of data economy and data avoidance by only requiring you to provide us with data that we need to review your job application documents, such as your CV, or that we are legally obligated to collect. To protect the security and confidentiality of your data, we implement appropriate security measures. In addition, we recommend that you send us your application documents in “zipped” form (e.g. 7z or .zip) with password protection by e-mail. Afterwards, please give us the password by telephone. Alternatively, you can also send us your application documents by post mail. We store your data for the above-mentioned purposes until the application process has been completed and related deadlines have expired – at the latest six months after receipt of a decision.

If your job application is unfortunately unsuccessful, your data will be deleted by us within six months of rejection. If your application is successful, your application documents will be included on the HR files and will only be deleted after you have left the company and statutory retention periods have expired.
We are supported by our service provider JOIN Solutions GmbH (hereinafter “Join”) in carrying out the application process. For this purpose, we use a widget of the provider JOIN, Schönhauser Allee 36, 10435 Berlin, Germany. If you apply to a job, your application data will be processed by Join on our behalf as instructed. We have concluded the required data protection agreement with Join for data processing on our behalf, in which Join is obligated to process the data in accordance with the principles of PDPL and in accordance with our instructions.

Join widget: We use a Join widget to display current job offers. Cookies are set by the Join widget. The legal basis for the processing is Art. 6 (1.) PDPL.

Contact form / Contact via email (Article 6 (1) PDPL)

A contact form is available on our website which can be used to contact us electronically. If you write to us using the contact form, we will process the data you submitted in the contact form to respond to your queries and requests.
In so doing, we respect the principle of data minimisation and data avoidance, such that you only have to provide the information we require to contact you, which is your name, salutation, email address and the type of your request. Your IP address will also be processed (and hashed immediately) for technical reasons and for legal protection. All other data is voluntary, and additional fields are optional (e.g. to provide a more detailed response to your questions).

If you contact us by email, we will process the personal information provided in the email solely for the purpose of processing your request.

Automated decisions in individual cases

We do not use purely automated processing to make decisions.

Cookies

Our website uses “cookies” at various locations, which serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser (locally on your hard disk). Cookies enable us to analyse how users use our websites so we can design the website content in accordance with the visitor’s needs. Cookies also allow us to measure the effectiveness of a particular advertisement and, for example, to place it based on the user’s interests.
When you first visit our website, a pop-up (CookiePro) opens from which you can give your consent to the use of categories of cookies which are described below as well as in the CookiePro pop-up itself.
The following categories of cookies are used on our website:

  • Necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. These cookies include for example the ones used by CookiePro (OneTrust) to maintain cookies based on your consent. You can set your browser to block or alert you about these cookies, but some parts of the site will then not work. These cookies do not store any personally identifiable information.
  • Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
  • Targeting cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Most of the cookies we use are “session cookies”, which will be automatically deleted after your visit. Persistent cookies are automatically deleted from your computer when their validity period (maximum 14 months) has expired or you delete them yourself prior to expiry.
In order to revoke your consent to the use of cookies (except for strictly necessary cookies which are always enabled), you can navigate to the footer of the website and deactivate categories of cookies in the CookiePro pop-up via the link ‘Cookies Settings’.

Furthermore, cookies are stored on the user’s computer which then transmits them to us. As a user, you therefore exercise full control over the use of cookies. You can change the settings in your Internet browser to disable or restrict the sending of cookies. In addition, cookies that have already been saved on your computer can be deleted at any time via an Internet browser or other software programs. All this is possible in all the current Internet browsers.
Please note: If you deactivate the placing of cookies on your device, you may not be able to access all our website functions in certain circumstances.

Web tracking (Article 6 (1) PDPL)

Matomo

This is an open source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transfer any data to servers outside the control of ONCARE. Matomo is deactivated when you use our services. Only after you have actively allowed it, your user behaviour will be recorded anonymously. By deactivating, a “permanent cookie” will be stored, if your browser settings allow this. This cookie serves the purpose of signaling Matomo not to capture your browser.
The information on usage collected by the cookie is transferred to our servers and saved there so that we can analyse user behaviour.
The information generated by the cookie on how you use our services will not be passed on to third parties.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality. For more information visit: https://matomo.org/privacy-policy/.
The processing of the users’ personal data enables us to analyse the surfing behaviour of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and its user-friendliness.

We process and store personal data only for as long as this is necessary for the fulfilment of the intended purpose.

Google Analytics

Based on your consent (art. 6 (1) PDPL) we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the website by the user is usually transferred to a Google server in the USA and stored there.
Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. The processed data can be used to create pseudonymous user profiles of the users.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google within member states of the European Union or in other states that are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.
The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software; accordingly, users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google as described in section ‘Cookies’ above.
Further information on the use of data by Google, setting and objection options, can be found in the privacy policy of Google and in the settings for the display of advertising by Google.

The personal data of users will be deleted or made anonymous after 12 months.

Google Marketing Platform (Doubleclick before)

On this website we use Google Marketing Platform (hereinafter Doubleclick), a Google service. Doubleclick is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We use Doubleclick to make your stay on our website as pleasant as possible by integrating Google Maps. Doubleclick uses cookies, in particular to provide tailored ads to you.
You can be addressed again by Google with suitable advertising offers on pages of Google Network, as you have visited or used corresponding websites and offers before. The information generated by the cookie may be transferred to a Google server in the USA and stored there. Google may also use the IP address of your browser for the display of ads. No data transmission takes place without your previously declared consent (Art. 6 (1) PDPL) on our cookie banner. You can revoke this at any time by the “Cookie Settings” in the footer of our website. You can also deactivate the use of cookies by Google. Please note that you will not be able to access Google services embedded on our website (Google Maps) without your consent or if you deactivate use of cookies by Google.
Doubleclick is a service of a third company (Google) that is independent from us and we cannot influence its data processing procedures. Further information on how Google handles the data it collects from you, as well as other Google privacy policies, are available at http://www.google.com/intl/de/policies/privacy/.

Google Maps-Plugin

Our website uses Google Maps (Google LLC) plugins. The plugins are deactivated until you specifically activate it by clicking on the plugin or have given your consent via our cookie banner (consent according to Art. 6 (1) PDPL). Google will store your IP address after activation. It is usually transferred to a Google server in the USA and stored there.
You can find more information on the handling of user data in Google’s privacy policy at https://www.google.de/intl/de/policies/privacy. However, you use this platform and its functions on your own responsibility. We would also like to point out that your data may be processed outside the European Union.

YouTube-Plugin

Our website uses YouTube plugins, YouTube is operated by Google. The operator is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surf behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. For more information on the handling of user data, please see YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy

LinkedIn Insight Tag

Our website uses the conversion tool “LinkedIn Insight Tag” provided by LinkedIn Ireland Unlimited Company. The tool creates a cookie in your web browser that allows the collection of, among other things, the following data: IP address, device and browser properties, and page events (e.g. page views). LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). IP addresses are shortened or (if used to reach LinkedIn members across devices) pseudonymized. The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data are deleted within 180 days. The data collected by LinkedIn cannot be assigned to specific individuals by us. LinkedIn stores the personal data of the website visitors on its servers in the USA and uses it for its own advertising measures. You can find more detailed information on data protection at LinkedIn in the LinkedIn privacy notices.
The use of LinkedIn Insight is based on Art. 6 (1) PDPL.

Privacy policy / Notes on data protection in social media

Oncare GmbH maintains presences in the social medias, especially on Xing and LinkedIn. In case that we have control over the processing of your data, we will ensure that applicable data protection regulations are applied. Below you find the most important information on data protection laws regarding our social media presences.

Name and address of the controller

The following companies are responsible (as controller) for our social media presences, beside Oncare GmbH, according to the EU General Data Protection Regulation (GDPR) and other data protection provisions (including the PDPL):

  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
  • Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Deutschland)

However, you use these platforms and their functions on your own responsibility, especially the use of interactive functions (e.g. commenting, sharing, rating). We would also like to point out that your data may be processed outside the European Union.

Purposes and legal basis

We maintain the social media presences in order to communicate with users and to inform them about our products and services. Furthermore, we collect data for statistical purposes in order to develop and optimize our content and to design more attractive products/services. The data required for this purpose (e.g. total number of page views, page activity and data provided by visitors, interactions) is processed by the social networks and made available to us. We have no influence on the generation and presentation.

In addition, your personal data will be processed by the social media providers for market research and advertising purposes. It is possible that, for example, based on your usage behavior and your interests, usage profiles are created. With the consequence that ads are placed inside and outside platforms that match your interests. Cookies are usually stored on your computer for this purpose. Data that is not collected directly on your end devices may also be stored in your usage profiles. Storage and analysis also take place across devices; this applies in particular, but not exclusively, if you are registered as a member and logged in your account.

We do not collect or process any further personal data.

The processing of your personal data by Oncare GmbH is based on our legitimate interests to get appropriate information and reach sufficient communication pursuant to Art. 6 (4) PDPL. If you are asked for consent to data processing, i.e. if you declare your consent by confirming a button or similar (opt-in), the legal basis of the processing is Art. 6 (1) PDPL.

Your rights / objection option

If you are a member of a social network and do not want the network to collect data about you by our presence and link it to your social media membership data with the respective network, you must:

  • log out of the social network before visiting our social media site,
  • delete the cookies present on the device and
  • close and restart your browser.

After logging in again, however, you will once more be recognizable to the network as a specific user. For a detailed description of the processing and the possibilities to object (opt-out), we refer to the following information:

LinkedIn
Statement: https://www.linkedin.com/legal/privacy-policy;
Opt-Out: https://www.linkedin.com/legal/cookie-policy and http://www.youronlinechoices.com;

Xing
Privacy Statement: https://privacy.xing.com/de/datenschutzerklaerung;
Opt-Out: http://www.youronlinechoices.com.

You have the following rights regarding the processing of your personal data:

right of access, right to rectification, right to erasure / right to be forgotten, right to restriction of data processing, right to data portability, right to object to data processing and the right to file a complaint about unlawful processing of your personal data with the competent data protection authority. As Oncare does not have full access to your personal data, you should contact the social media provider directly if you wish to assert your claim, because your provider has access to the personal data of the users and can take appropriate measures and provide information. If you still need help, we support you. Please contact privacy@myoncare.com.

Online offers for children

Persons under the age of 16 may not submit personal data to us or give a declaration of consent without the authorisation of their legal guardian. We encourage parents and guardians to actively participate in the online activities and interests of their children.

Links to other providers

Our website also contains clearly identifiable links to the Internet sites of other companies. Although we provide links to websites of other providers, we have no influence on their content, and no guarantee or liability can therefore be assumed for such. The content of these pages is always the responsibility of the respective provider or operator of the pages.
The linked pages were checked at the time of linking for potential legal violations and identifiable infringements. No illegal content was identified at the time of linking. However, a permanent content control of the linked pages is not reasonable without concrete evidence of an infringement and, upon notification of a violation of rights, such links will be promptly removed.

PRIVACY POLICY EGYPT

Welcome to myoncare, the digital health portal for efficient and needs-oriented patient care.

For us at Oncare GmbH  (hereinafter referred to as “Oncare” or “we”, “us”, “our”), the protection of your privacy and any personal data relating to you while using the myoncare Portal is of major relevance and importance. We are aware of the responsibilities to provide and save your personal data in the myoncare Portal. Therefore, our technology systems used for myoncare Services are set up according to the highest standards and the lawful processing of personal data is core to our business ethics.

We process your personal data in accordance with the applicable legal provisions for the protection of personal data, in particular the Egyptian Personal Data Protection Law no. 151/2020 (the “PDPL”). Furthermore European Data Protection rules apply, for more information please check our Privacy Notice (Europe). This Privacy Notice tells you why and how Oncare processes your personal data which we collect from you or which you provide to us, when you decide to use myoncare Portal. In particular, you will find a description of the personal data, which we collect and process as well as the purpose and on which basis we are processing the personal data and the rights to which you are entitled.

Please read this Privacy Notice carefully to ensure that you understand each provision. After reading the Privacy Notice, you will have the option to consent to the Privacy Notice and the processing of your personal data as described in this Privacy Note. If you give consent, the Privacy Notice will be part of the contract between you and Oncare.

DEFINITIONS

App User” means any user of the myoncare App (your patient).

Blockchain” in the myoncare system is an additional database that stores data from all the installations.

Careplan Provider” means any Health Care Professional or other third-party (e.g., medical device manufacturer, pharmaceutical company) offering Careplans to Portal Users through the myoncare Store or through any other data transfer method (e.g., email).

Careplan User” means any Health Care Professional (Portal User), using a Careplan for communication with their Registered Patients.

Health Care Provider” means you or any other doctor, clinic, health care institution or other health care professional acting on its own or on behalf of you or any other doctor, clinic or health care institutions (intended user).

myoncare App” means the myoncare mobile app intended for the use by patients who want to use the services provided by Oncare.

myoncare Store” means the platform run by Oncare that provides digital care concepts (Careplans) to be used for your registered patients wellbeing through the myoncare Portal.

myoncare Portal” means the myoncare web-portal intended for professional use by Portal Users and functioning as interface between such Portal Users and patients as App Users.

myoncare Tools” means both, myoncare App and myoncare Portal, together.

myoncare Services” means the services, functionalities and other offerings which are or may be offered to Portal Users via the myoncare Portal and/or to App Users via the myoncare App, as applicable.

Oncare“ means ONCARE GmbH, Germany.

Portal User” means you or any other Health Care Provider using the web-based myoncare Portal.

Patient Privacy Notice” means the privacy statement that describes the collection, use and retention of the personal (health) information of patients using myoncare App.

Privacy Notice” means this statement made to you as user of the myoncare Portal that describes how we collect, use and retain your personal information, and provides you with information on your comprehensive rights.

myoncare PWA” means the myoncare Progressive Web App application for patients who wish to use the services offered by Oncare by the PWA  and not by the myoncare app.

Standard Terms” means the Standard Terms and Conditions for using the myoncare Portal.

RESPONSIBLE ENTITY

Oncare GmbH, a company registered with the Munich Local Court with the Register number 219909 with its office located at Balanstraße 71a, 81541 Munich,  Germany offers and operates the interactive web portal myoncare Portal (for Health Care Professionals) and the mobile application myoncare App (for patients) giving access to myoncare Services. This Privacy Notice applies to all personal data processing by Oncare related to the use of myoncare Portal. For the use of myoncare App by patients, you can find a separate Patient Privacy Notice here.

Myoncare PWA

A progressive web app (PWA) is a website that looks and behaves as if it is a mobile app. PWAs are built to take advantage of native mobile device features, without requiring the user to visit an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing most of the benefits of native mobile apps to the mobile browser. The PWA is based on the technology of “React Native for Web”. “React Native for Web” is an open source software for PWA applications.

Before patients can use the myoncare PWA, they need a computer or smartphone and an active internet connection. An app does not need to be downloaded.

Some of the myoncare app services cannot be used within the myoncare PWA as described below. These are the following services or specifications:

-Chat with a care team;

-Video calls;

-Security PIN codes;

-Activity data tracking (e.g. AppleHealth, GoogleFit, Withings).

The following information regarding the myoncare app also apply to the myoncare PWA, unless otherwise stated in this section.

WHAT IS PERSONAL DATA

Personal data” is all information that makes it possible to identify a natural person. In particular, this includes your name, voice, photograph, identification number, date of birth, address, telephone number, e-mail address and IP address, or any data referring to your psychological, medical, economic, cultural or social identity. “Health data” is personal data that relates to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Data is considered “anonymous” if no personal reference to the person/user can be made. In contrast, “pseudonymized” data is data from which personal reference or personal identifiable information is replaced by one or more artificial identifiers, or pseudonyms, but which can, in general, be re-identified by the identifier key.

WHICH PERSONAL DATA WILL BE PROCESSED WHILE USING MYONCARE APP

We may process the following data categories about you while using the myoncare App:

Operational Data: Personal data provided to us when you register and log in to our myoncare Portal, contact us regarding any problems with the Portal or otherwise interact with us with the purpose of using the Portal (“Operational Data”);

Treatment Data: You will enter personal data of your patients, such as name, age, height, weight, indication, disease symptoms and further information in connection with the treatment of your patients (e.g. in a Careplan) in myoncare Portal (“Treatment Data”). Treatment Data are personal data of your patients which are collected or processed, when you interact with your patient via myoncare Portal;

Store Business Data: Personal data which will be processed by us when you are using the myoncare Store either as author of Careplans or as buyer of Careplans. The use of the myoncare Store will require the processing of your name and contact information as well as your payment details (payment details only in case Careplan is subject to a fee) (“Store Business Data”).

Activity Data: Personal data which will be processed by us when any App User connects myoncare App to a Health App (e.g. AppleHealth, GoogleFit, Withings). Activity Data of your connected patients is available to you within the myoncare Portal.

Product Safety Data: Personal data which will be processed to fulfill our legal obligations as manufacturer of the myoncare App as medical device. In addition, your personal data as reporter of incidents may be processed to fulfill legal safety or vigilance purposes of medical device or pharmaceutical companies.  (“Product Safety Data”).

Reimbursement Data: Personal Data which are required for the reimbursement process (“Reimbursement Data”).

BLOCKCHAIN TECHNOLOGY

Blockchain technology (“Blockchain“) (European Patent No. 4 002 787),  is an optional offered service, it is not mandatory. It is on you, the Health Care Provider, to decide to use the Blockchain solution. The Blockchain is supported by Hyperledger Fabric.  Hyperledger Fabric is an open source software for enterprise-grade blockchain deployments. It offers a scalable and secure platform that supports blockchain projects.

Blockchain in the myoncare system is an additional database that stores data from all the installations. All the data is stored in Germany. It is a Private Blockchain (“Private Blockchain“), it allows the entry of only selected verified participants, and it is possible to override, edit, or delete entries as required.

In general, the Blockchain is made up of digitally recorded data in a chain of packages called ‘blocks’ that store records of transactions. The manner in which these blocks are linked is chronological. The first block created is called a genesis block and each block added afterwards will have a cryptographic hash that refers to the previous block, allowing to trace transactions and changes to information going back to the Genesis block. All transactions within the blocks are validated and agreed upon by a consensus mechanism, ensuring that each transaction is true and correct.

Each block contains the list of transactions, its timestamp, its own hash, and the previous block’s hash. A hash is a function used to convert digital data to a fixed-sized alphanumeric string. If an unauthorized person tries to update the data from a single block, the hash of the block would also change and the linking to this block would be lost. At this moment, the copy blockchain will not be in sync with the other copies. When all nodes try to sync their copies they would realize that this one copy is different and then the network marks this node as illegitimate. This process makes it quite difficult for unauthorzed persons to tamper with the records in the blockchain.

Our Blockchain is a Private Blockchain. A Private Blockchain is decentralized. It is a distributed ledger that operates as a closed database.  Unlike Public Blockchains, which are “permissionless”, Private Blockchains are “permissioned,” because approval is required to become a user. In contrast to Public Blockchains that are open for everyone, Private Blockchains require some form of authorization. This allows to take advantage of the security and immutability of blockchain technology while also complying with privacy regulations, most notably the Personal Data Protection Law (PDPL). Private Blockchain records can be edited, overridden or deleted; deleted means in this context to erase the reference to the UUID (Universally Unique Identifier) in the customer´s database. The result is that the hash is anonymized in the Blockchain database, with the consequence that this process is compliant with the General Data Protection Regulation and the PDPL, and it guarantees the rights of a data subject (Right to erasure ‘right to be forgotten’ inter alia, Art. 2 PDPL).

Types of data that are stored and processed on the Blockchain:

-Patient UUID

-Site/Institution UUID

-Asset UUID

-Hash of Caretask & Asset Data.

(UUID: Universally Unique Identifier).

The data stored in the Blockchain is pseudo-anonymous.

Our Blockchain intends to provide services that help prove the integrity of the data related to the privacy policy, patient profile, assets, and the assigned caretasks and medications. To communicate with the blockchain, the user needs to enroll a set of public-private keys. The enrollment process generates certificates that are stored in a separate database for Health Care Providers and on the phone for the patients. A backup of the patient’s keys is encrypted and stored in the Health Care Provider database which can be accessed only by the patient.

For the privacy policy consent verification, whenever the Health Care Provider intends to communicate with the patient, the system checks if the patient has valid consent to the privacy policy of the health care institution. The blockchain is used to guarantee the integrity and accountability of the record that stores that the patient has accepted the privacy policy.

When the Health Care Provider uploads the new version of the privacy policy, the hash of the file is stored in the blockchain, and after the patient consents to the privacy policy, this interaction is stored on the blockchain. For each communication with the patient, the blockchain returns a flag if the patient’s consent is still valid for the recent privacy policy by comparing the hash.

Similarly, for the patient sync feature, the integrity of the patient profile is assured by the blockchain. The Health Care Provider knows if the patient profile is out of sync with the profile on the phone by comparing the hash of the patient profile on the blockchain. This enables the Health Care Provider to have the most recent patient profile information.

myoncare Portal:

If the Health Care Provider decides to use the Blockchain solution, ONCARE will add an extra service called adapter service that will be used to communicate with the Blockchain. The Blockchain instance is hosted by ONCARE.

myoncare App:

The patients can connect to the same Blockchain instance, and it is done with the help of the phone manager service. This service is also hosted by ONCARE.

Justification of Processing: The processing of data by Oncare for the Health Care Provider is based on Art. 6 PDPL (data processor’s obligations).

PROCESSING OF OPERATIONAL DATA

In case you are a contact person to run the Portal at your site/practice (e.g. IT administrator, appointed Health Care Professional), you might provide us with certain personal data in case you are contacting us to understand or discuss the functions and usage of the Portal or in case of a service request.

In the event of a service request, the following personal data may also be viewed by authorized Oncare employees:

• The personal data that you have provided to register and/or log in to our Portal (e.g. name, date of birth, profile picture, contact details)

Authorized Oncare employees who have access to your database for the purpose of processing a service request are contractually required to keep all personal information strictly confidential.

For the processing of Operational Data, Oncare acts as data controller responsible for the legitimate processing of your personal data.

Types of Data: E-mail-address, date of birth, registration date, your IP address, pseudo keys generated by the Portal .

The app uses Google Maps API to use geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. For more information about the scope, legal basis and purpose of data processing by Google as well as the storage period, please refer to Google’s privacy policy.

Purposes of processing of Operational Data: We use the Operational Data to maintain the functionalities of myoncare Portal and to get in direct contact with you if required or initiated by you (e.g. in case of change of Standard Terms, necessary support, technical problems etc.). In addition, personal data (e-mail-address) is needed and processed for the 2-factor-identification in each case of your log-in to myoncare Portal.

Justification of Processing: The processing of Operational Data is justified based on Article 6 Paragraph 2 PDPL to fulfill the contract you conclude with Oncare for the purpose of the use of myoncare Portal.

PROCESSING OF TREATMENT DATA

During the use of myoncare Portal, you will enter personal (health) data of your patients to myoncare Portal (e.g. provision of individual Careplan, reminder for intake of medicines etc.). In addition, you and your patients will be able to upload patient related documents and files to myoncare Portal and share the files with each other. Additionally, location functions can be generated and implemented.

  • the addition of a location;
  • uploading the logo of the location;
  • to add the details of the location;
  • to upload a privacy policy; and
  • it is possible to create further consent requirements for the patient, for which the patient must give consent to connect to the site.

An uploaded privacy policy is displayed to any patient who connects to the site. All consent statements must be defined in the uploaded privacy policy. Once a privacy policy has been uploaded, it can only be replaced with a new version, but not deleted.

The files will be stored in a cloud database hosted in Egypt. You can allow sharing such files with other Portal Users of your own institution for medical reasons. Other Portal Users will not be able to access these files.

You (not Oncare) will be responsible for a legitimate processing of the personal data.

We process such personal data, including the patients’ health data, under an agreement with you and in accordance with your instructions. For the purposes of using myoncare Services with patients’ health data, you will, therefore, be the responsible data controller. Please process your patients’ data only if you have obtained the required data consent of such patients. Oncare will act as data processor in compliance with the separate data processing contract we have concluded with you based on Art. 6 PDPL.

PROCESSING OF STORE BUSINESS DATA

– Only applicable if you are using myoncare Store either as Careplan Provider or as Careplan User –

myoncare Store is integrated in myoncare Portal and offers the exchange of Careplans and after registering to the myoncare Portal, you will be able to connect to myoncare Store with your log-in information of myoncare Portal. You will be able to use myoncare Store for own Careplans as Careplan Provider or for purchasing a Careplan as Careplan User.

Data of Careplan Provider:

Types of Data: Name, contact details, bank account information

Processing of Store Business Data: If you want to offer an own Careplan to other Portal Users, you will have to provide your name and contact details with the Careplan. These details will be visible to other Careplan Providers and Careplan Users using myoncare Store, in case you decide to “publish”. If you decide for “internal use”, your personal data related to your Careplan will only be visible to Careplan Providers and Careplan Users of your own institution.

In case of a purchase of your Careplan by a Careplan User, your personal data (name and contact details) will be processed to agree on a Careplan licence agreement between you and the Careplan User.  If your Careplan is offered for a fee, you will also need to provide your bank account details, as the Careplan Users will have to be able to pay the fee for your Careplan. In addition, we as Oncare will process the information on the use of the Careplan, the fee schedule and your personal data related to the Careplan to track the commission fee.

In the case of the tracking of commission fee, Oncare will act as data controller. For all other cases (data exchange between Careplan Provider and Careplan User, licence agreement, payment etc.), Oncare acts as data processor for the Careplan Provider in compliance with the separate data processing contract we have concluded with you based on Art. 6 PDPL.

Justification of processing of Store Business Data: Legal basis for the processing of personal data of Careplan Provider by Oncare as data controller is Article 6 PDPL.

Data of Careplan User:

The Careplan User data processed by using the myoncare Store will be used for entering into a license agreement with the Careplan Provider and, if Careplan offered for a fee, for processing and control of the payment process between the Careplan Provider and the Careplan User.

Types of Data: Name, contact details, bank account information.

Processing of Store Business Data: When purchasing a Careplan in myoncare Store (either for free or based on a purchase price offered by the Careplan Provider), the Careplan User will have to enter his/her personal data and contact details with the aim to conclude a licence agreement with the Careplan Provider. In addition, payment details will be processed (if there is a usage fee) to the Careplan Provider.

Justification of processing of Store Business Data: Legal basis for the processing of personal data is the separate data processing contract we have concluded with the Careplan Provider based on Art. 6 PDPL.

PROCESSING OF ACTIVITY DATA

– Only applicable if your connected App Users agree to and activate the data transfer –

myoncare Tools offer the possibility to App Users to connect the myoncare App to certain health apps (e.g. AppleHealth, GoogleFit, Withings) (“Health App”), if those are used by the App User and if the connection is desired by the App User. If the connection is established, Activity Data collected by the Health App is transferred to you with the purpose of providing additional, contextual information about the App Users activity to you. Please note that Activity Data are not validated by myoncare Tools and shall not be used for diagnostic purposes or as basis for medical decision making.

The processing of Activity Data to you falls within the own data responsibility of your patients.

Types of data: The type and extent of data transferred depend on the decision of the App User. Data can include, inter alia,  weight, height, taken steps, burned calories, hours of sleep, heart rate and blood pressure.

Purposes of processing of Activity Data: Activity Data of the App User is transferred to you with the purpose of providing additional, contextual information about the App Users’ activity to you. Please note that Activity Data are not validated by myoncare Tools and shall not be used for diagnostic purposes or as basis for medical decision making.

Justification of Processing of Activity Data: Data Controller is the patient him-/herself who grants you access to his/her Activity Data just for review of the shared information. Therefore, no further justification is needed.

PROCESSING OF PRODUCT SAFETY DATA

As manufacturer of the myoncare Tools, we have to fulfill certain legal obligations (e.g. surveillance of functionality of the Tools, evaluation of incident reports which might be connected to the use of the Tools, tracking of users etc.). In addition, you might collect personal data in myoncare Tools regarding specific medical devices or pharmaceuticals used in the treatment of your patients. The manufacturers of such medical devices or pharmaceuticals also have legal obligations regarding the surveillance of the market (e.g. collection and assessment of side effect reports).

Oncare is data controller for Product Safety Data.

Types of Data: Case reports, personal data provided in an incident report and results of evaluation, reporter details.

Processing of Product Safety Data: We will store and assess any personal data related to our legal obligations and transfer such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory responsibilities. In addition, we will store and transfer personal data related to medical devices and/or pharmaceuticals, if we receive any notices by you as reporter of such information, by your patient or any third person (e.g. our distributors or importers of the myoncare Tools in your country) that has to be reported to the manufacturer of the product to enable the manufacturer to fulfill its legal product safety obligations.

Justification of processing of Product Safety Data: Legal basis for the processing of personal data to fulfill legal obligations is Art. 6 and 12 PDPL.

PROCESSING OF REIMBURSEMENT DATA

– Only applicable if you are using myoncare Tools for reimbursement –

myoncare Portal will assist you to start your standard reimbursement processes for the health services provided to your patients via myoncare App. To enable the reimbursement process, myoncare Portal will support the collection of your patient’s personal (health) data from myoncare Portal to facilitate the standard reimbursement processes you might want to transfer to the patient’s cost payer (either your Association of Statutory Health Insurances and/or the patient’s health insurer). You will be the data controller for Reimbursement Data and responsible for the compliance with data protection regulations for your patients’ data processed in the reimbursement process. Oncare is acting as data processor based on the data processing agreement with you.

Types of Data: Patient’s name, diagnosis, indications, treatment, period of treatment, other data required for reimbursement administration.

Processing of Reimbursement Data: You as responsible data controller will transfer the patient’s Treatment Data required to receive reimbursement to the cost payer (either your Association of Statutory Health Insurances and/or the patient’s health insurer) and the cost payer will process the Reimbursement Data to provide reimbursement to you.

WHAT TECHNOLOGY IS USED BY MYONCARE PORTAL AND MYONCARE APP?

myoncare Portal works as a web based tool for which you need a working internet connection and any current version of the internet browser Chrome, Firefox or Safari.

SECURE TRANSFER OF PERSONAL DATA

We implement the appropriate technical and organizational security measures to ensure the optimal protection of the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.

The data exchange to and from the Portal and App is encrypted. We use TLS and SSL as encryption protocols for secure data transmission. In addition, data exchange is end-to-end encrypted and takes place using pseudo-keys.

DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES

We will only transmit your personal data to third parties within the scope of given statutory provisions or based on your consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).

All transfer of personal data is encrypted during transfer.

The information on how we handle the personal (health) data of your patients acting with myoncare App is summarized in a separate Privacy Notice for the myoncare Patient App. You can find this Patient Privacy Notice here. Please also read this Patient Privacy Notice carefully. For some processing of patient data, you will be the data controller and responsible for the compliance with data protection (e.g. transfer of treatment data to the patient).

SendGrid

We use Sendgrid for sending emails. The provider is Sendgrid Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Sendgrid is a service with which the sending of emails can be organized. Sendgrid is used to send confirmation emails, transaction confirmations and emails with important information regarding existing requests. The data you enter for the purpose of receiving emails is stored on Sendgrid’s servers. When we send email on your behalf through SendGrid, we use an SSL secured connection.

The emails are related to the following tasks:

-First login to the Web Application;

-Password reset workflow for the Web Application;

-Account creation for the Patient Application;

-Password reset for the Patient Application;

-Replacing push notifications by emails for PWA (Progressive Web App) in the following cases:

(i)   When a Caretask is set to expire in one day;

(ii)  When a Caretask is set to expire in one hour;

(iii) Medication has been assigned;

(iv)  When the privacy policy has been updated.

For the purpose of analysis, the e-mails sent with SendGrid contain a so-called “tracking pixel”, which connects to Sendgrid’s servers when the e-mail is opened. By this, it is possible to determine whether an email message has been opened.

Legal basis

The data processing is based on your consent (Art. 6 para. 1 PDPL). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide us for the purpose of receiving emails will be stored by us until you unsubscribe from our services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe.

Please note that your data  is usually transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in the EU exists.

SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/

Matomo

This is an open source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transfer any data to servers outside the control of ONCARE. Matomo is deactivated when you use our services. Only after you have actively allowed it, your user behaviour will be recorded anonymously. By deactivating, a “permanent cookie” will be stored, if your browser settings allow this. This cookie serves the purpose of signaling Matomo not to capture your browser.

The information on usage collected by the cookie is transferred to our servers and saved there so that we can analyse user behaviour.

The information generated by the cookie about your use is:    

-User role

-User geolocation

-User browser

-User OS

-IP Address

-Pages/screens visited in Web and PWA (see section about PWA in this Privacy Statement)

-Buttons the user clicks in Web and PWA

-Time user spent.

The information generated by the cookie on how you use our services will not be passed on to third parties.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality. For more information visit: https://matomo.org/privacy-policy/.

The legal basis for the processing of the users’ personal data is Art. 6 para. 1 of the PDPL. The processing of the users’ personal data enables us to analyse the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and its user-friendliness.

We process and store personal data only for as long as this is necessary for the fulfilment of the intended purpose.

GENERAL INFORMATION ON CONSENT TO DATA PROCESSING

Your consent also constitutes permission to data processing under data privacy law. Before granting your consent, we will inform you about the purpose of the data processing and your right of objection.

If the consent also relates to the processing of special categories of personal data (i.e. sensitive data under the PDPL), myoncare Portal will explicitly notify you in the consent process. Processing of sensitive data according to Art. 9, 12 & 13 PDPL may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such personal data or you have given consent to the processing of this personal data according to Art. 12 Paragraph 2 PDPL.

For the data processing for which your consent is required (as explained in this Privacy Notice), the consent will be requested during registration process. After successful registration, the consents can be managed in the account settings of myoncare Portal. In addition, Oncare will ask you to agree on a data processing agreement for the data processed by Oncare under your responsibility as data controller.

DATA RECIPIENTS / CATEGORIES OF RECIPIENTS

In our organization, we ensure that the only persons entitled to process personal data are the ones who are required to do so in order to fulfil their contractual and statutory duties.

In certain cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers which are data processors for the personal data. These service providers are Hetzner Online and Google (Google Firebase). Google Firebase is a “NoSQL database” that enables synchronization between the myoncare Portal and the myoncare App used by your patients. NoSQL defines a mechanism of storing data which is modeled in means other than just tabular relations by allowing for easier “horizontal” scaling compared to tabular/ relational database management systems in a cluster of machines.

For this purpose, a pseudo key of the myoncare Portal and the myoncare App is stored in Google Firebase along with the corresponding Careplan. The data transfer is pseudonymized to Oncare and its service providers which means that Oncare and its service providers cannot relate to you or your patient as a data subject. This is achieved by encryption of the data during transfer and the use of pseudo-keys instead of personal identifiers such as names or e-mail addresses to track these transfers.  Re-identification happens once the personal data has reached the patient account in myoncare App or your account in myoncare Portal after verification via specific tokens.

Hetzner Online provides cloud storage in which the Firebase Manager, which manages the Firebase URLs for the myoncare Portal, is stored. In addition, Hetzner Online provides the isolated server domain of myoncare Portal in which your and your patients’ personal data are stored. Hetzner Online also hosts myoncare’s video and file management services, which enable encrypted video conferencing and exchange of files between you and your patient, respectively. Access to all personal data by you and your patient is ensured by sending specific tokens. This personal data is encrypted during transfer and pseudonymized during transfer and at rest to Oncare and its service providers. Service providers of Oncare do not have access to this personal data at any time.

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

No personal data collected by myoncare Portal or myoncare App will be stored in the app stores. Personal Data will only be transferred to third countries (outside of Egypt) if this is necessary for the performance of the contractual obligation, is required by law or you have given us your consent.

Synchronization of myoncare Portal with myoncare App takes place via Google Firebase. The Google Firebase servers are hosted in the EU. However, according to the Google Firebase Terms of Service, transient data transfers in countries where Google and its’ service providers have establishments are possible. In the case of certain Google Firebase services, data is only transferred to the USA if no processing takes place in the European Union or the European Economic Area. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Hetzner Online is hosted in Nuremberg, Germany. In order to process Activity Data, interfaces to Google cloud services (in case of GoogleFit) or to AppleHealth or Withings within the mobile device of the App User are used. Myoncare Tools use these interfaces which are provided by Google, Apple and Withings, to request Activity Data from connected Health Apps. The request sent by myoncare Tools does not contain personal data but personal data is provided to myoncare Tools via these interfaces.

PERIOD OF PERSONAL DATA STORAGE

We store your personal data as long as they are needed for the respective processing purpose. Please note that numerous retention periods dictate that personal data must continue to be stored. This applies in particular to commercial law or tax law storage obligations (e.g. Commercial Code, Tax Code, etc.).

Please note that Oncare is also subject to storage obligations which are contractually agreed with you on the basis of legal provisions. If there are no further storage obligations, the personal data is routinely deleted once the purpose has been achieved.

In addition, we can store personal data if you have given us your permission to do so or if legal disputes arise and we use evidence within the framework of statutory limitation periods, which can be up to thirty years; the regular limitation period is five years.

OBLIGATION TO PROVIDE PERSONAL DATA

Various personal data are necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare Portal and the various functions it provides.

We have summarized the details for you in the above point. In certain cases, personal data must also be collected or made available in accordance with statutory provisions. Please note that it is not possible to process your inquiry or to execute the underlying contractual obligation without providing this personal data.

AUTOMATED DECISIONS IN INDIVIDUAL CASES

We do not use purely automated processing to make decisions.

YOUR RIGHTS AS A DATA SUBJECT

We would like to inform you of your rights as a data subject. These rights are set out in article 1 PDPL and include:

Right of access (Art. 1, (1.) PDPL): You have the right to access and be provided with a copy of any personal data that we hold about you;

Right to rectification (Art. 1, (3.) PDPL): You can require us to correct or amend, or erase or complete your personal data;

Right to restriction of data processing (Art. 1, (4.) PDPL): You can require us to “restrict” our use of your information, so that we can continue the use your information only subject to restrictions;

Right to be informed of any personal data breach (Art. 1 (5.) PDPL): You have the right to be informed of any personal data breach in relation to your personal data;

Right to object and/or revoke consent to data processing (Art. 1 (2) and (6) PDPL): You have the right to revoke your consent at any time, if we process your personal data based on your consent. You, further, have the right to object to our use of your personal data whenever it contradicts with your fundamental rights. We will continue to provide our services if they do not depend on the consent that has been revoked and/or objected.

To exercise these rights, please contact us at:  privacy@myoncare.com. We will require you to provide satisfactory proof of your identity to ensure that your rights are protected and that your personal data is disclosed only to you and not to any third person.

Please also contact us at any time on privacy@myoncare.com, if you have questions about data processing in our company or if you wish to revoke your consent. You also have the right to contact the relevant data protection supervisory authority.

DATA PROTECTION OFFICER

You can contact our data protection officer to answer all data protection questions at privacy@myoncare.com.

CHANGES TO PRIVACY NOTICE

We explicitly reserve our right to modify this Privacy Notice in future at our own discretion. Modifications or additions may, for instance, be necessary to meet statutory requirements, correspond with technical and economic developments or to meet the interests of the App or Portal Users.

Any modifications are possible at any time and will be published in an appropriate manner and in an appropriate time frame for you before they take effect (e.g. by posting revised Privacy Notice at login or by providing advance notice to you of material changes).

ONCARE GmbH

Postal address

Balanstraße 71a

81541 Munich, Germany

T | +49 (0) 89 4445 1156

E | info@myoncare.com

Contact info of the data protection officer:

privacy@myoncare.com

Last Updated on 21 August 2023.

* * * *

PRIVACY POLICY EGYPT

Welcome to myoncare, the digital health portal and mobile app (“App”) for efficient and needs-oriented patient care and support for corporate health management programs.

For us at Oncare GmbH (hereinafter referred to as “Oncare” or “we”, “us”, “our”), the protection of your privacy and any personal data relating to you while using the myoncare App is of major relevance and importance. We are aware of the responsibilities arising from your trust to provide and save your personal (health) data in the myoncare App. Therefore, our technology systems used for myoncare Services are set up according to the highest standards and the lawful processing of personal data is core to our business ethics.

We process your personal data in accordance with the applicable legal provisions for the protection of personal data, in particular the Egyptian Personal Data Protection Law (the “PDPL”). Furthermore European Data Protection rules apply, for more information please check our Privacx Notice (Europe). This Privacy Notice tells you why and how Oncare processes your personal (health) data which we collect from you or which you provide to us, when you decide to use myoncare App. In particular, you will find a description of the personal data, which we collect and process as well as the purpose and on which basis we are processing the personal data and the rights to which you are entitled.

Please read this Privacy Notice carefully to ensure that you understand each provision. After reading the Privacy Notice, you will have the option to consent to the Privacy Notice and the processing of your personal (health) data as described in this Privacy Note. If you give consent, the Privacy Notice will be part of the contract between you and Oncare.

DEFINITIONS

App User” means any user of the myoncare App (Patient and/or employee).

Blockchain” in the myoncare system is an additional database that stores data from all the installations.

Company” means your employer, if you and your employer are using myoncare Tools for the employer’s corporate health management program.

Data Service Provider” means any agent engaged and instructed by Company for collection, screening and interpretation of pseudonymized or anonymized employee data in corporate health management programs based on a separate service agreement with the Company (e.g. data analyst, general health prevention services, data evaluation services etc.) and as identified by a separate information sheet to the employees.

Health Care Provider” means your doctor, clinic, health care institutions or other health care professional acting on its own or on behalf of your doctor, clinic or health care institutions.

myoncare App” means the myoncare mobile app intended for the use by patients or employees who want to use the services provided by Oncare.

myoncare Portal” means the myoncare web-portal intended for professional use by Portal Users and functioning as interface between such Portal Users and App Users.

myoncare Services” means the services, functionalities and other offerings which are or may be offered to Portal Users via the myoncare Portal and/or to App users via the myoncare App, as applicable.

myoncare Tools” means both, myoncare App and myoncare Portal, together.

Oncare” means ONCARE GmbH, Germany.

Portal User” means any Health Care Provider, Company or Data Service Provider using the web-based myoncare Portal.

Privacy Notice” means this statement made to you as patient or employee and user of the myoncare App that describes how we collect, use and retain your personal information, and provides you with information on your comprehensive rights.

myoncare PWA” means the myoncare Progressive Web App application for patients who wish to use the services offered by Oncare by the PWA  and not by the myoncare app.

Standard Terms” means the Standard Terms and Conditions for using the myoncare App.

RESPONSIBLE ENTITY

Oncare , a company registered with the Munich Local Court with the Register number 219909 with its office located Balanstraße 71a, 81541 Munich, Germany, offers and operates the mobile application myoncare App giving access to myoncare Services. This Privacy Notice applies to all personal data processing by Oncare related to the use of myoncare App.

myoncare PWA

A progressive web app (PWA) is a website that looks and behaves as if it is a mobile app. PWAs are built to take advantage of native mobile device features, without requiring the user to visit an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing most of the benefits of native mobile apps to the mobile browser. The PWA is based on the technology of “React Native for Web”. “React Native for Web” is an open source software for PWA applications.

Before patients can use the myoncare PWA, they need a computer or smartphone and an active internet connection. An app does not need to be downloaded.

Some of the myoncare app services cannot be used within the myoncare PWA as described below. These are the following services or specifications:

-Chat with a care team;

-Video calls;

-Security PIN codes;

-Activity data tracking (e.g. AppleHealth, GoogleFit, Withings).

The following information regarding the myoncare app also apply to the myoncare PWA, unless otherwise stated in this section.

WHAT IS PERSONAL DATA

Personal data” is all information that makes it possible to identify a natural person. In particular, this includes your name, voice, photograph, identification number, date of birth, address, telephone number, e-mail address and IP address, or any data referring to your psychological, medical, economic, cultural or social identity. “Health data” is personal data that relates to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Data is considered “anonymous” if no personal reference to the person/user can be made. In contrast, “pseudonymized” data is data from which personal reference or personal identifiable information is replaced by one or more artificial identifiers, or pseudonyms, but which can, in general, be re-identified by the identifier key.

WHICH PERSONAL DATA WILL BE PROCESSED WHILE USING MYONCARE APP

We may process the following data categories about you while using the myoncare App:

Operational Data: Personal data provided to us when you register to our myoncare App, contact us regarding any problems with the App or otherwise interact with us with the purpose of using the App (“Operational Data”);

Treatment Data: You or your Health Care Provider will enter personal data, such as name, age, height, weight, indication, disease symptoms and further information in connection with your treatment (e.g. in a care plan) with the support of myoncare App (“Treatment Data”). Treatment Data are, therefore, personal data which are collected or processed, when you interact with your Health Care Provider via myoncare App;

Activity Data: Personal data which will be processed by us when you connect myoncare App to a Health App (e.g. AppleHealth, GoogleFit, Withings). Your Activity Data is transferred to your connected Health Care Provider as Portal User.

Product Safety Data: Personal data which will be processed to fulfill our legal obligations as manufacturer of the myoncare App as medical device. In addition, your personal data may be processed to fulfill legal safety or vigilance purposes of medical device or pharmaceutical companies.  (“Product Safety Data”).

Reimbursement Data: Personal data which are required for the reimbursement process between your Health Care Provider and your heath insurer (“Reimbursement Data”).

Corporate Health Management Data: Personal or aggregated data which will be collected in concrete projects and questionnaires as asked by your employer (either directly or by Data Service Provider engaged by your Company). The data may relate to certain health information, your opinion regarding your personal well-being, your opinion as employee to a specific internal or external situation or data regarding the care or health situation in general (“Corporate Health Management Data”).

BLOCKCHAIN TECHNOLOGY

Blockchain technology (“Blockchain“) (European Patent No. 4 002 787), is an optional offered service, it is not mandatory. It is your Health Care Provider who decides to use the Blockchain solution. The Blockchain is supported by Hyperledger Fabric.  Hyperledger Fabric is an open source software for enterprise-grade blockchain deployments. It offers a scalable and secure platform that supports blockchain projects.

Blockchain in the myoncare system is an additional database that stores data from all the installations. All the data is stored in Germany. It is a Private Blockchain (“Private Blockchain“), it allows the entry of only selected verified participants, and it is possible to override, edit, or delete entries as required.

In general, the Blockchain is made up of digitally recorded data in a chain of packages called ‘blocks’ that store records of transactions. The manner in which these blocks are linked is chronological. The first block created is called a genesis block and each block added afterwards will have a cryptographic hash that refers to the previous block, allowing to trace transactions and changes to information going back to the Genesis block. All transactions within the blocks are validated and agreed upon by a consensus mechanism, ensuring that each transaction is true and correct.

Each block contains the list of transactions, its timestamp, its own hash, and the previous block’s hash. A hash is a function used to convert digital data to a fixed-sized alphanumeric string. If an unauthorized person tries to update the data from a single block, the hash of the block would also change and the linking to this block would be lost. At this moment, the copy blockchain won’t be in sync with the other copies. When all nodes try to sync their copies they would realize that this one copy is different and then the network marks this node as illegitimate. This process makes it quite difficult for unauthorized persons to tamper with the records in the blockchain.

Our Blockchain is a Private Blockchain. A Private Blockchain is decentralized. It is a distributed ledger that operates as a closed database.  Unlike Public Blockchains, which are “permissionless,” Private Blockchains are “permissioned,” because approval is required to become a user. In contrast to Public Blockchains that are open for everyone, Private Blockchains require some form of authorization. This allows to take advantage of the security and immutability of blockchain technology while also complying with privacy regulations, most notably the Personal Data Protection Law (PDPL). Private Blockchain records can be edited, orverrirden or deleted; deleted means in this context to erase the reference to the UUID (Universally Unique Identifier) in the customer´s database. The result is that the hash is anonymized in the Blockchain database, with the consequence that this process is compliant with the Personal Data Protection Law and it guarantees the rights of a data subject as stipulated in  Art. 2 PDPL.

Types of data that are stored and processed on the Blockchain:

-Patient UUID

-Site/Institution UUID

-Asset UUID

-Hash of Caretask & Asset Data.

(UUID: Universally Unique Identifier).

The data stored in the Blockchain is pseudo-anonymous.

Our Blockchain intends to provide services that help prove the integrity of the data related to the privacy policy, patient profile, assets, and the assigned caretasks and medications. To communicate with the blockchain, the user needs to enroll a set of public-private keys. The enrollment process generates certificates that are stored in a separate database for Health Care Providers and on the phone for the patients. A backup of the patient’s keys is encrypted and stored in the Health Care Provider database which can be accessed only by the patient.

For the privacy policy consent verification, whenever the Health Care Provider intends to communicate with the patient, the system checks if the patient has valid consent to the privacy policy of the health care institution. The blockchain is used to guarantee the integrity and accountability of the record that stores that the patient has accepted the privacy policy.

When the Health Care Provider uploads the new version of the privacy policy, the hash of the file is stored in the blockchain, and after the patient consents to the privacy policy, this interaction is stored on the blockchain. For each communication with the patient, the blockchain returns a flag if the patient’s consent is still valid for the recent privacy policy by comparing the hash.

Similarly, for the patient sync feature, the integrity of the patient profile is assured by the blockchain. The Health Care Provider knows if the patient profile is out of sync with the profile on the phone by comparing the hash of the patient profile on the blockchain. This enables the Health Care Provider to have the most recent patient profile information.

myoncare Portal:

If the Health Care Provider decides to use the Blockchain solution, ONCARE will add an extra service called adapter service that will be used to communicate with the Blockchain. The Blockchain instance is hosted by ONCARE.

myoncare App:

The patients can connect to the same Blockchain instance, and it is done with the help of the phone manager service. This service is also hosted by ONCARE.

Justification of Processing: The processing of data by Oncare for the Health Care Provider is based on Art. 6 PDPL (data processor’s obligations).

PROCESSING OF OPERATIONAL DATA

– Applicable to all App Users –

You might provide us with certain personal data in case you are contacting us to understand or discuss the functions and usage of the App or in case of a service request.

In the event of a service request, the following personal data may also be viewed by authorized Oncare employees:

• The personal data that you have provided to your Health Care Provider through our App (e.g. name, date of birth, profile picture, contact details)

• The health data you have provided to your Health Care Provider, the Data Service Provider or Company through our myoncare App (e.g., information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks)

Authorized Oncare employees who have access to your Health Care Provider’s, Data Service Provider’s or Company’s database for the purpose of processing a service request are contractually required to keep all personal information strictly confidential.

When myoncare App is downloaded, the necessary information is transferred to the app store provider. We have no influence on this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare Apps and Services.

For the processing of Operational Data, Oncare acts as data controller responsible for the legitimate processing of your personal data.

Types of Data: Your name, e-mail-address, date of birth, registration date, pseudo keys generated by the app; device token to identify your device, your pseudo identification number, your IP address, type and version of the operating system used by your device.

The app uses Google Maps API to use geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. For more information about the scope, legal basis and purpose of data processing by Google as well as the storage period, please refer to Google’s privacy policy.

Purposes of processing of Operational Data: We use the Operational Data to maintain the functionalities of myoncare App and to get in direct contact with you if required or initiated by you (e.g. in case of change of Standard Terms, necessary support, technical problems etc.).

Justification of Processing: The processing of Operational Data is justified based on Article 6 Paragraph 2 PDPL to fulfill the contract you conclude with Oncare for the purpose of the use of myoncare App.

IP GEOLOCATION

IP geolocation: We use a geolocation application for our services. We use ipapi (provided by apilayer Data Products GmbH, Elisabethstrasse 15/5, 1010 Vienna, Austria) to identify the location of the patient users. We use ipapi for the security of our applications and for the purpose to check the location of the patient user to ensure that the use of our services is legally compliant. We do not combine the information we collect with any other information about you that could identify you. Data processed by apilayer includes patient IP address and location details. Legal basis for the use of ipapi is Art. 6 PDPL. The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. More information on the apilayer Privacy Policy can be found at https://ipapi.com/privacy/.

PROCESSING OF TREATMENT DATA

– Applicable to App Users using the App with their Health Care Provider –

During the use of myoncare App, your doctor, a clinic or other health care provider treating you (“Health Care Provider”) will enter your personal data to myoncare Portal to start myoncare Services (e.g. provision of individual Careplan, reminder for intake of medicines etc.). In addition, you and your Health Care Provider will be able to upload documents and files related to you to myoncare App and myoncare Portal and can share the files with the other. Your Health Care Provider can upload a privacy policy for your information and define other consent requirements for you as a patient, for which your consent must be given. The files will be stored in a cloud database hosted in Germany. Your Health Care Professional can allow sharing such files with other Portal Users of his institution for medical reasons, but other Portal Users will not be able to access the files.

Your Health Care Provider will be responsible for a legitimate processing of the personal data.

We process such personal data, including your health data, under an agreement with and in accordance with the instructions of your Health Care Provider. For the purposes of this agreement, the Health Care Provider is responsible of processing your personal data and health data within the meaning of applicable data protection laws as data controller, and Oncare is the processor of such personal (health) data. This means that Oncare processes the Personal Data only according to the instructions of the Health Care Provider. If you have any questions or concerns regarding the processing of your personal data or health data, you should primarily contact your Health Care Provider.

Types of Data: Name, date of birth, profile information, contact details and also health data, such as symptoms, photos, information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks.

Purposes of Treatment Data processing: We process your Treatment Data to be able to provide our myoncare Services to your Health Care Provider and to you. Your health data, which you enter in our myoncare App, will be used by your Health Care Provider for consultation and support to you. We process this personal data as part of an agreement with and in accordance with the instructions of your Health Care Provider. The transmission of this Treatment Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Health Care Provider.

Justification of processing of Treatment Data: Your personal data will be processed by your Health Care Provider in accordance with the provisions of the PDPL and all other applicable data protection regulations. Legal basis for data processing in particular arise from Art. 12 PDPL for health data as sensitive data as well as your consent according to Art. 6 paragraph 2 PDPL. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 6 PDPL.

Your doctor as data controller will be responsible to obtain your consent. Even if you can use myoncare App without such consent, most of the functions will not work anymore (e.g. sharing of data with your Health Care Provider). Therefore, denial or revocation of consent to process Treatment Data will lead to a heavy limitation of functionality of the App services and your doctor will not be able to support you via myoncare App anymore.

PROCESSING OF ACTIVITY DATA

– Only applicable if you agree to share Activity Data via myoncare Tools –

myoncare Tools offer you the possibility to connect the myoncare App to certain health apps (e.g. AppleHealth, GoogleFit, Withings), that you are using (“Health App”). To enable processing of Activity Data, we are asking you to consent to the processing beforehand. If the connection is established after you granted your consent, Activity Data collected by the Health App is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them. Please note that Activity Data is not validated by myoncare Tools and shall not be used by your connected Portal Users for diagnostic purposes or the basis for medical decision making. Please also note, that your connected Portal Users are not required to monitor your Activity Data or provide any feedback to you regarding your Activity Data.

Activity Data is shared with your connected Portal Users each time you start myoncare App. At any time you can revoke your consent to share your Activity Data from within the settings in myoncare App. Please note that your Activity Data is not shared anymore from this time point onwards. Already shared Activity Data will not be deleted from the myoncare Portal of your connected Portal Users until its minimum legal retention period outlined in the PDPL has elapsed.

The processing of Activity Data by you falls within your own data responsibility.

Types of data: The type and extent of data transferred depends on your decision and the data available in your connected Health App. Data can include, inter alia, weight, height, taken steps, burned calories, hours of sleep, heart rate and blood pressure.

Purposes of processing of Activity Data: Your Activity Data is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them.

Justification of Processing: The processing of the Activity Data is done under your own responsibility.

PROCESSING OF PRODUCT SAFETY DATA

As manufacturer of the App, we have to fulfill certain legal obligations (e.g. surveillance of functionality of the App, evaluation of incident reports which might be connected to the use of the App, tracking of users etc.). In addition, your Health Care Provider and you might communicate and collect personal data in myoncare App regarding specific medical devices or pharmaceuticals used in your treatment. The manufacturers of such medical devices or pharmaceuticals also have legal obligations regarding the surveillance of the market (e.g. collection and assessment of side effect reports).

Oncare is data controller for Product Safety Data.

Types of Data: Case reports, personal data provided in an incident report and results of evaluation.

Processing of Product Safety Data: We will store and assess any personal data related to our legal obligations and transfer such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory responsibilities. In addition, we will store and transfer personal data related to medical devices and/or pharmaceuticals, if we receive any notices by your Health Care Provider, by you as patient or any third person (e.g. our distributors or importers of the myoncare Tools in your country) that has to be reported to the manufacturer of the product to enable the manufacturer to fulfill its legal product safety obligations.

Justification of processing of Product Safety Data: Legal basis for the processing of personal data to fulfill legal obligations is Art. 6 and 12 PDPL.

PROCESSING OF REIMBURSEMENT DATA

– Applicable to App Users using the App with their Health Care Provider for reimbursement purposes –

myoncare App will support your Health Care Provider to start standard reimbursement processes for the health services provided to you via myoncare App. To enable the reimbursement process, myoncare App will support the collection of your personal (health) data by your Healh Care Provider for transfer of such data to your cost payer (either his/her Association of Statutory Health Insurances and/or your health insurer). This data processing is just an initial data transfer for the Health Care Provider to receive reimbursement by your health insurer. The kind and amount of personal data processed does not differ to other reimbursement routines of the Health Care Provider. Your Health Care Provider is data controller for Reimbursement Data. Oncare is acting as data processor based on the data processing agreement with your Health Care Provider.

Types of Data: Name, diagnosis, indications, treatment, period of treatment, other data required for reimbursement administration.

Processing of Reimbursement Data: Your Health Care Provider will transfer your Treatment Data required to receive reimbursement to the cost payer (either his/her Association of Statutory Health Insurances and/or your health insurer) and the cost payer will process the Reimbursement Data to provide reimbursement to your Health Care Provider.

PROCESSING OF CORPORATE HEALTH MANAGEMENT DATA

– Applicable to App Users using the App with the corporate health management program of their Company –

During the use of myoncare App in the corporate health management program of your Company, certain  personal (health) data will be shared in an aggregated form as Corporate Health Management Data with your Company and any Data Service Providers (e.g. data analyst or research companies) engaged by your Company. Neither your Company nor any Data Service Provider will be able to allocate such data to your identity. Oncare recommends not to share personal information when using the myoncare Services in the context of corporate health management.

We process such Corporate Health Management Data, including your health data, under an agreement with and in accordance with the instructions of your Company and/or any Data Service Providers. For the purposes of this agreement, the Company is responsible for processing your Corporate Health Management Data as data controller, and Oncare as well as any Data Service Provider engaged by your Company, if any, are the processor of such data. This means that Oncare and any Data Service Provider process the Corporate Health Management Data only according to the instructions of the Company. If you have any questions or concerns regarding the processing of your Corporate Health Management Data , you should primarily contact your Company.

Purposes of Corporate Health Management Data processing: We process your Corporate Health Management Data to be able to provide our myoncare Services to your Company and to you. Your Corporate Health Management Data, which you enter in our myoncare App, will be used by your Company (either directly or via a Data Service Provider) in its corporate health management program. We process this Corporate Health Management Data as part of an agreement with and in accordance with the instructions of your Company and/or any Data Service Provider for its corporate health management program. The transmission of this Corporate Health Management Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Company.

Justification of processing of Corporate Health Management Data: Your Corporate Health Management Data will be processed by your Company in accordance with the provisions of the PDPL and all other applicable data protection regulations. Legal basis for data processing in particular arise from your consent according to Art. 6 Paragraph 1 of the PDPL or any other legal justification valid for your Company. The processing of data by Oncare to Company (either directly or via any service provider engaged by your Company) is, in addition, based on Art. 6 paragraph 2 PDPL.

Your Company as data controller will be responsible to obtain your consent if required due to data protection regulations and process the Corporate Health Management Data according to applicable data protection legislation.

SECURE TRANSFER OF PERSONAL DATA

We implement the appropriate technical and organizational security measures to ensure the optimal protection of the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.

The data exchange to and from the App is encrypted. We use TLS and SSL as encryption protocols for secure data transmission. In addition, data exchange is end-to-end encrypted and takes place using pseudo-keys.

DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES

We will only transmit your personal data to third parties within the scope of given statutory provisions or based on your consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).

All transfer of personal data is encrypted during transfer.

SendGrid

We use Sendgrid for sending emails. The provider is Sendgrid Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Sendgrid is a service with which the sending of emails can be organized. Sendgrid is used to send confirmation emails, transaction confirmations and emails with important information regarding existing requests. The data you enter for the purpose of receiving emails is stored on Sendgrid’s servers. When we send email on your behalf through SendGrid, we use an SSL secured connection.

The emails are related to the following tasks:

-First login to the Web Application;

-Password reset workflow for the Web Application;

-Account creation for the Patient Application;

-Password reset for the Patient Application;

-Replacing push notifications by emails for PWA (Progressive Web App) in the following cases:

(i)   When a Caretask is set to expire in one day;

(ii)  When a Caretask is set to expire in one hour;

(iii) Medication has been assigned;

(iv)  When the privacy policy has been updated.

For the purpose of analysis, the e-mails sent with SendGrid contain a so-called “tracking pixel”, which connects to Sendgrid’s servers when the e-mail is opened. By this, it is possible to determine whether an email message has been opened.

Legal basis

The data processing is based on your consent (Art. 6 PDPL para. 1). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide us for the purpose of receiving emails will be stored by us until you unsubscribe from our services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe.

Please note that your data  is usually transmitted by us to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in the EU exists.

SendGrid (Privacy Policy): https://sendgrid.com/resource/general-data-protection-regulation-2/

Matomo

This is an open source web analysis tool. Matomo (provided by InnoCraft Ltd., New Zealand) does not transfer any data to servers outside the control of ONCARE. Matomo is deactivated when you use our services. Only after you have actively allowed it, your user behaviour will be recorded anonymously. By deactivating, a “permanent cookie” will be stored, if your browser settings allow this. This cookie serves the purpose of signaling Matomo not to capture your browser.

The information on usage collected by the cookie is transferred to our servers and saved there so that we can analyse user behaviour.

The information generated by the cookie about your use is:    

-User role

-User geolocation

-User browser

-User OS

-IP Address

-Pages/screens visited in Web and PWA (see section about PWA in this Privacy Statement)

-Buttons the user clicks in Web and PWA

-Time user spent.

The information generated by the cookie on how you use our services will not be passed on to third parties.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality. For more information visit: https://matomo.org/privacy-policy/.

The legal basis for the processing of the users’ personal data is Art. 6 para. 1 of the PDPL. The processing of the users’ personal data enables us to analyse the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our services. This helps us to continuously improve our services and its user-friendliness.

We process and store personal data only for as long as this is necessary for the fulfilment of the intended purpose.

GENERAL INFORMATION ON CONSENT TO DATA PROCESSING

Your consent also constitutes permission to data processing under data privacy law. Before granting your consent, we will inform you about the purpose of the data processing and your right of objection.

If the consent also relates to the processing of special categories of personal data (i.e. sensitive data under the PDPL), myoncare App will explicitly notify you in the consent process. Processing of sensitive data according to Art. 9, 12 and 13 PDPL may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such personal data or you have given consent to the processing of this personal data according to Art. 12 Paragraph 2 PDPL.

For the data processing for which your consent is required (as explained in this Privacy Notice), the consent will be requested during registration process. After successful registration, the consents can be managed in the account settings of myoncare App.

DATA RECIPIENTS / CATEGORIES OF RECIPIENTS

In our organization, we ensure that the only persons are entitled to process personal data are the ones who are required to do so in order to fulfill their contractual and statutory duties. Your personal data and health data that you enter in our myoncare App will be made available to your Health Care Provider and/or Company either directly or via a Data Service Provider (depending on the type of use of myoncare Tools).

In certain cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers which are data processor for the personal data. These service providers are Hetzner Online and Google (Google Firebase). Google Firebase is a “NoSQL database” that enables synchronization between the myoncare Portal of your Health Care Provider and the myoncare App. NoSQL defines a mechanism of storing data which is modeled in means other than just tabular relations by allowing for easier “horizontal” scaling compared to tabular/ relational database management systems in a cluster of machines.

For this purpose, a pseudo key of the myoncare App is stored in Google Firebase along with the corresponding Careplan. The data transfer is pseudonymized to Oncare and its service providers which means that Oncare and its service providers cannot relate to you as a data subject. This is achieved by encryption of the data during transfer between you and your Health Care Provider or Company (either directly or to any Data Service Provider) and the use of pseudo-keys instead of personal identifiers such as names or e-mail addresses to track these transfers. Re-identification happens once the personal data has reached the account of your Health Care Provider or Company in myoncare Portal or your account in myoncare App after verification via specific tokens.

Hetzner Online provides cloud storage in which the Firebase Manager, which manages the Firebase URLs for the myoncare Portal, is stored. In addition, Hetzner Online provides the isolated server domain of myoncare Portal in which your personal data is stored. Hetzner Online also hosts myoncare’s video and file management services, which enable encrypted video conferencing and exchange of files between you and your Health Care Provider, respectively. Access to your personal data by you and your Health Care Provider is ensured by sending specific tokens. This personal data is encrypted during transfer and pseudonymized during transfer and at rest to Oncare and its service providers. Service providers of Oncare do not have access to this personal data at any time.

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

No personal data collected by this myoncare App will be stored in the app stores. Personal Data will only be transferred to third countries (outside of Egypt) if this is necessary for the performance of the contractual obligation, is required by law or you have given us your consent.

Synchronization of myoncare App with myoncare Portal takes place via Google Firebase. The Google Firebase servers are hosted in the EU. However, according to the Google Firebase Terms of Service, transient data transfers in countries where Google and its service providers have establishments are possible. In the case of certain Google Firebase services, data is only transmitted to the USA, insofar as no processing takes place in Egypt. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Hetzner Online is hosted in Nuremberg, Germany.

In order to process Activity Data, interfaces to Google cloud services (in case of GoogleFit) or to AppleHealth or Withings within the mobile device of the App User are used. Myoncare Tools use these interfaces which are provided by Google, Apple and Withings, to request Activity Data from connected Health Apps. The request sent by myoncare Tools does not contain personal data but personal data is provided to myoncare Tools via these interfaces.

PERIOD OF PERSONAL DATA STORAGE

We store your personal data as long as they are needed for the respective processing purpose. Please note that numerous retention periods dictate that personal data must continue to be stored. This applies in particular to commercial law or tax law storage obligations (e.g. Commercial Code, Tax Code, etc.). In addition, your Health Care Provider also has to ensure storage of your medical files (varies between 1 and 30 years, depending on the nature of documents).

Please note that Oncare is also subject to storage obligations which are contractually agreed with your Health Care Provider on the basis of legal provisions. If there are no further storage obligations, the personal data is routinely deleted once the purpose has been achieved.

In addition, we can store personal data if you have given us your permission to do so or if legal disputes arise and we use evidence within the framework of statutory limitation periods, which can be up to thirty years; the regular limitation period is five years.

OBLIGATION TO PROVIDE PERSONAL DATA

Various personal data are necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare App and the various functions it provides.

We have summarized the details for you in the above point. In certain cases, personal data must also be collected or made available in accordance with statutory provisions. Please note that it is not possible to process your enquiry or to execute the underlying contractual obligation without providing this  personal data.

GRANTED ACCESS RIGHTS

In order for the myoncare App to work on your device, it is necessary for the App to be granted various permissions to access certain functions of the device. For all devices, independent from the operating system used, it is necessary to grant the App certain permissions, which we call “basic permissions”. Depending on the operating system of the device you are using, it may have additional features that require additional permissions to make the app work. If applicable, we will list them in order of operating system (Android or iOS) after the “basic conditions”.

The basic permissions (Android and iOS) are:

• Retrieve WLAN connections

Required to ensure the functionality of the document download in connection with WLAN connections.

• Retrieve Network Connections

Required to ensure document download functionality in connection with network connections that are not WLAN connections.

• Disable screen lock (prevent stand-by mode)

Required so that the videos that are among the provided documents can be played directly in the app without being interrupted by screen lock.

• Access all networks

Access to all networks is required to download documents.

• Disable sleep mode

This is necessary so that the videos that are among the provided documents can be played directly in the app, without the playback being interrupted by the occurrence of sleep mode.

• Mobile data / access to mobile data

If the user wishes to download documents exclusively via WLAN, he can make the appropriate setting in the menu of the app and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of deactivating document downloads via mobile data.

• Camera access

Camera access is required for scanning of QR codes and for video consultations.

• Microphone access

This is required for video consultations.

• Access to files and photos

This is necessary for the exchange of files between you and your connected Portal Users.

• Access to web browsers

This is necessary to view received files from your connected Portal Users.

We use push notifications, which are messages sent to your mobile device as a service of the myoncare App via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The service provider’s privacy policy governs the access, use, and disclosure of personal information as a result of your use of these services.

AUTOMATED DECISIONS IN INDIVIDUAL CASES

We do not use purely automated processing to make decisions.

YOUR RIGHTS AS DATA SUBJECT

We would like to inform you of your rights as a data subject. These rights are set out in article 1 PDPL and include:

Right of access (Art. 1 (1.) PDPL): You have the right to access and be provided with a copy of any personal data that we hold about you;

Right to rectification (Art. 1 (3.) PDPL): You can require us to correct or amend or erase or complete your personal data;

• Right to restriction of data processing (Art. 1 (4.) PDPL): You can require us to “restrict” our use of your information, so that we can continue the use of your information only subject to restrictions;

Right to be informed of any personal data breach (Art. 1 (5.) PDPL): You have the right to be informed of any personal data breach in relation to your personal data;

Right to object and/or revoke consent to data processing (Art. 1 (2) and (6) PDPL): You have the right to revoke your consent at any time, if we process your personal data based on your consent. You, further, have the right to object to our use of your personal data whenever it contradicts with your fundamental rights. We will continue to provide our services if they do not depend on the consent that has been revoked and/or objected.

To exercise these rights, please primarily contact your Health Care Provider or your Company or us at privacy@myoncare.com. We will require you to provide satisfactory proof of your identity to ensure that your rights are protected and that your personal data is disclosed only to you and not to any third party.

Please also contact us at any time at privacy@myoncare.com, if you have questions about data processing in our company or if you wish to revoke your consent. You also have the right to contact the relevant data protection supervisory authority.

DATA PROTECTION OFFICER

You can contact our data protection officer to answer all data protection questions at privacy@myoncare.com.

AGE RESTRICTION OF THE APPLICATION

A minimum age of 18 years is required to use myoncare App

CHANGES TO PRIVACY NOTICE

We explicitly reserve our right to modify this Privacy Notice in future at our own discretion. Modifications or additions may, for instance, be necessary to meet statutory requirements, correspond with technical and economic developments or to meet the interests of the App or Portal Users.

Any modifications are possible at any time and will be published in an appropriate manner and in an appropriate time frame to you before they take effect (e.g. by posting revised Privacy Notice at login or by providing advance notice to you of material changes).

‍ONCARE GmbH

Postal address

Balanstraße 71a

81541 Munich, Germany

T | +49 (0) 89 4445 1156

E | service@myoncare.com

Contact info of the data protection officer:

privacy@myoncare.com

Last updated 21 August 2023.

* * *

© 2024 ONCARE GmbH – all rights reserved. ​
myoncare is not available for sale or distribution in all markets. Please contactsales@myoncare.com for information regarding your market. myoncare is not intended to be used for medical emergencies. myoncare must not be used by patients under 18 years of age. We, as a service provider, assume no liability for monitoring the transmitted or stored third party information or the consequences arising thereof.​

Together against cancer! ​