Privacy Policy

Scope of application

This privacy policy explains how personal data is processed on the website www.caspar-health.com (hereinafter referred to as the “website”) and on the Caspar Health app (hereinafter referred to as the “Caspar software”). The app can be used both via the installed Caspar Health app and directly via the web browser. The therapy portal (hereinafter “CASPAR”) is operated on the app.

Responsible party

GOREHA GmbH, Neue Schönhauser Str. 20, 10178 Berlin (hereinafter referred to as “we” or “us”) is the controller pursuant to Article 4(7) of the General Data Protection Regulation (GDPR) for all personal data collected on the platform, unless otherwise stated in this Privacy Policy.

Personal data

Personal data within the meaning of Art. 4 No. 1 GDPR are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. Special categories of personal data include, for example, data relating to your physical health, so-called health data within the meaning of Art. 4 No. 15 GDPR.

Processing when visiting the website

Our Internet pages use so-called “cookies”. Cookies are small data packets and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the @ or the display of videos). Other cookies can be used to evaluate user behavior or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

You can find out which cookies and services are used on this website in this privacy policy.

Consent with Cookiebot

Our website uses Cookiebot's consent technology to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in accordance with data protection regulations. The provider of this technology is Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter “Cookiebot”).

When you enter our website, a connection is established to the Cookiebot servers in order to obtain your consent and other declarations regarding the use of cookies. Cookiebot then stores a cookie in your browser in order to be able to assign the consents you have given or revoke them.

to be able to assign them to you. The data collected in this way is stored until you ask us to delete it, delete the Cookiebot cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.

Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR

We reserve the right to store the server log files for longer if there are facts that suggest the assumption of unauthorized access (such as an attempt at hacking or a so-called DDOS attack). The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest lies in the provision of the website and its proper operation. User data is not sold to third parties.

What is an IP address?

Every device (e.g. smartphone, tablet, PC) that is connected to the Internet is assigned an IP address. Which IP address this is depends on the Internet access via which your device is currently connected to the Internet. It may be the IP address assigned to you by your Internet provider, for example if you are connected to the Internet at home via your Wi-Fi. However, it can also be an IP address assigned to you by your mobile phone provider or the IP address of a provider of a public or private WLAN or other Internet access. In its currently most common form (IPv4), the IP address consists of four blocks of numbers separated by dots. As a private user, you will not usually use a constant IP address, as this is only assigned to you temporarily by your provider (so-called “dynamic IP address”). In the case of a permanently assigned IP address (so-called “static IP address”), it is in principle possible to clearly assign the user data via this feature. Except for the purpose of tracking unauthorized access to our website, we do not use this data for personal purposes, but only evaluate on an anonymous basis which of our websites are favored, how many accesses are made daily and the like.

Contactform

You have the option of getting in touch with us via our contact form. To use our contact form, we first need the data marked as mandatory fields from you.

We use this data on the basis of Art. 6 para. 1 sentence 1 lit. a) and b) or Art. 9 para. 2 GDPR to answer your request.

In addition, you can decide for yourself whether you wish to provide us with further information. This information is provided voluntarily and is not mandatory for us to contact you. We process your voluntary information on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

Your data will only be processed to answer your request. We will delete your data if it is no longer required and there are no legal obligations to retain it.

Newsletter

We use our e-mail newsletter to inform our customers and people who have expressed an interest in CASPAR about further developments and new products and offers. This is a voluntary subscription to the newsletter. The legal basis for sending the newsletter to our customers is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest arises from our interest in direct advertising. Other interested persons receive the newsletter on the basis of their consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

You can object to the use of your email address for sending the newsletter at any time via a link in the respective newsletter or revoke your consent in this way. You can also send an email to datenschutz@caspar-health.com.

Use of the Caspar therapy portal

Medical facilities and patients can set up accounts to use the CASPAR therapy portal. When creating a user account for our Caspar software, you will be asked to enter a range of personal data (in particular title, first name, surname, street, zip code, city, country of residence, telephone, e-mail address and possibly other data that we request during the registration process). However, only the country of residence is mandatory. You can view and change the data at any time under the heading “Patient account”. If you have provided an e-mail address, you will receive an overview of your current therapy activities at regular intervals. You can unsubscribe from this at any time using the unsubscribe link. We collect, store and process your data mentioned in this section for the entire processing of your use of CASPAR, including any subsequent warranties. The details of this are set out in the respective contracts and terms and conditions concluded with the persons concerned. When using CASPAR, personal health data about patients will only be processed with their prior consent. This data is transferred to CASPAR by the medical facility or by the patients themselves.

Data is only exchanged between the patient and the medical facility providing care and the doctors employed there. They are not passed on to third parties.

The data is stored for as long as it is required for the use of CASPAR. The data will then be deleted, unless there are legal rights or obligations to the contrary. It is assumed that CASPAR will continue to be used until the end of the respective contract term.

The legal basis for processing is consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. Art. 9 para. 2 lit. a) GDPR.

The declarations of consent can be accessed at any time in the respective account under the heading “Legal”. Personal data of therapists and non-health-related data of patients are processed for the purpose of performing the contract on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR.

The personal data is stored and processed exclusively on servers in Germany. All doctors and therapists are subject to professional confidentiality. We oblige our employees to maintain confidentiality in accordance with the GDPR. Data transmissions are protected against access by third parties by encryption in accordance with the recognized state of the art.

Webinars, Surveys

While using the CASPAR therapy portal, it is possible to take part in webinars. These are offered synchronously with the aftercare therapy program and represent a live extension in the area of knowledge and well-being and are therefore also part of the therapy. You will be informed about this via e-mail. Participation is voluntary and is not a prerequisite for using CASPAR or for successfully completing therapy. Registration requires a one-time entry of an e-mail address; participation in the webinar does not require a real name. Each e-mail contains an unsubscribe link.

These are carried out with Zoom, Zoom Video Communications Inc, 55 Almaden Boulevard, 6th Floor, San Jose, California 95113, USA. The data center region is Europe, so that the data of German users is routed exclusively via Europe. The legal basis for this is Art. 6 para. 1 sentence 1 lit. a) and b) or Art. 9 para. 2 lit. a) ) GDPR. The transfer of data to Zoom takes place on the basis of the adequacy decision within the meaning of Art. 45 GDPR. AI functions are switched off. Further information can be found at: https://explore.zoom.us/en/privacy/

While using CASPAR, it is possible to take part in surveys to improve teletherapy with CASPAR and the therapy portal itself. Participation is voluntary and is not a prerequisite for using CASPAR or for successfully completing therapy. For this purpose we use SmartSurvey, SmartSurvey Ltd, Basepoint Business Center, Oakfield Close, Tewkesbury, Gloucestershire, GL20 8SD, United Kingdom. The majority of these surveys are anonymous, meaning that no personal data is processed. If a survey is conducted using pseudonymized data, the legal basis for this is Art. 6 para. 1 sentence 1 lit. a) or Art. 9 para. 2 lit. a) GDPR. The transfer takes place on the basis of Art. 45 para. 3 GDPR. The EU Commission has declared the United Kingdom a safe third country in an adequacy decision of 28.6.2021. Further information at SmartSurvey Privacy Policiy.

Data portability Art. 20 GDPR

We allow patients to voluntarily connect and import their activity and health data from various sources (such as cell phones, smartwatches, fitness trackers and other digital health services such as Apple Health Kit or Google Fit). By connecting your account from another provider to CASPAR, you explicitly instruct us to transfer your data from this provider to your CASPAR

account (the legal basis for this claim is Art. 20 (1) GDPR). The collection of this information is voluntary and not required for the use of CASPAR. CASPAR does not transfer any data to these providers. We integrate the Thryve Health SDK, which is provided by mHealth Pioneers GmbH, Bismarckstraße 10-12, 10625 Berlin, Germany, as part of an order processing contract. mHealth Pioneers GmbH has no access to other data stored by CASPAR.

Data processing abroad

Any transfer of data to a third country takes place in compliance with the applicable data protection law. Data is only transferred to third countries for which the European Commission has issued an adequacy decision. If individual data is still transferred to the United States of America, this is currently based on the effective Data Privacy Framework and the listing of the provider under this agreement (https://www.dataprivacyframework.gov/list). For all providers whose parent company is based in the United States, Germany has been set as the server location or data region and contractual assurances have been given that the data will not leave this area without consent.

Goreha GmbH is ISO 27001 certified.

Use of tracking- and analysistools

In the area of communication, we use Zava Sprechstunde Online GmbH, Im Teelbruch 118, 45219 Essen. This is done on the basis of Art. 6 para. 1 lit. b), Art. 9 para. 2 lit. a) GDPR. The server location is Germany. Further information on the handling of user data at Zava Sprechstunde Online can also be found at: https://sprechstunde.online/datenschutzerklaerung-app/.

For communication purposes, we also use TalkJS from Klets B.V., Bogert 1, 5612 LX Eindhoven, Netherlands. This is done on the basis of Art. 6 para. 1 lit. a) and b), Art. 9 para. 2 lit. a) GDPR. Server location in the EU. Further information on the handling of user data at TalkJS can also be found at https://talkjs.com/privacy/.

When hosting our software, we use the services of Amazon Web Services Inc (AWS), 410 Terry Avenue North Seattle, WA 98109-52-10, USA. The AWS servers we use are located in a data center in Frankfurt: Globale Infrastrukturregionen und AZ.

This is done on the basis of Art. 6 para. 1 lit. a) and b), Art. 9 para. 2 lit. a) GDPR exclusively in pseudonymized form.

The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data. Further information on security and data protection at AWS can be found here:  AWS Data Protection and here: DSGVO – Amazon Web Services (AWS).

The current privacy policy of Amazon Web Services can be found at: Data protection notice

The transfer of data to Amazon Web Services may be based on the adequacy decision within the meaning of Art. 45 GDPR.  

Our app uses the error analysis service Rollbar Inc, 51 Federal Street, San Francisco, CA 94107, USA.  This service reports any technical errors that occur in the app to enable us to rectify these errors immediately. The data is transmitted after an error has been detected. The purpose of the processing is the technical monitoring of our app and the documentation of error messages in order to ensure and optimize the technical stability of the app and to enable our visitors to use our app as error-free as possible. Data is only transmitted for troubleshooting purposes. In the event that sensitive personal data is involved, the transmission is based on Art. 9 para. 2 lit. a) GDPR. The transfer takes place in the form of pseudonymized metadata. Further data protection information from Rollbar can be found at Privacy Policy as well as: Data Processing Addendum.

The transfer of data to Rollbar can be based on the adequacy decision within the meaning of Art. 45 GDPR. Rollbar is also listed under the Data Privacy Framework.

Our Caspar software uses Snowflake, Snowflake Computing Netherlands B.V., Gustav Mahlerlaan 300-314, Foz Building, 1082 ME, Netherlands (parent company Snowflake Inc. Delaware, USA), to process and provide data for our services. The data is provided in pseudonymized form. This is done on the basis of Art. 6 para. 1 lit. a) and Art. 9 para. 2 lit. a) GDPR. Further information can be found at Privacy Notice | Snowflake. Snowflake is hosted on Amazon Web Services (“AWS”); AWS is subject to data protection certification in accordance with the adequacy decision of 10.07.2023, see point 13.

Our Caspar Software also uses SimplifyU, SimplifyU GmbH, Ehrwalder Straße 4, 82467 Garmisch-Partenkirchen, Germany, for the purposes of quality management and document provision. This is done on the basis of Art. 9 para. 2 lit. a) GDPR. Further information: Privacy Policy SimplifyU

We use Rapidmail, Rapidmail GmbH, Wentzingerstr. 21, 79106 Freiburg im Breisgau, Germany, for the purposes of effective treatment and regular, individual status overviews for patients. The basis for this is Art. 9 para. 2 lit. a) or Art. 6 para. 1 lit. a) GDPR. Further information: https://www.rapidmail.de/datenschutz.

We use Tableau and Salesforce, Salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany (parent company Salesforce Inc., USA) for sales, customer relations and marketing. The processing of personal data is based on Art. 6 para. 1 lit. b) GDPR and Art. 6 para. 1 lit. f) GDPR. In addition, the processing of Art. 9 para. 2 lit. a) GDPR data is pseudonymized.

The transfer of data to Tableau may be based on the adequacy decision within the meaning of Art. 45 GDPR.  

We use Google, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to exchange information by email and for billing purposes. The data region is Europe, i.e. text, content, replies, drafts, subject, sender, sender etc. are stored exclusively in Europe. The processing of personal data is based on Art. 6 para. 1 lit. b), if applicable Art. 9 para. 2 lit. a) GDPR. The AI function is not used. FurtFurther information at: https://policies.google.com/privacy?hl=en-US and for data regions https://support.google.com/a/answer/7630496?hl=en .

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or analytics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies, or conduct independent analyses. It is solely used for managing and deploying the tools integrated through it. However, Google Tag Manager collects your IP address, which may also be transmitted to Google’s parent company in the United States.

The use of Google Tag Manager is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in the fast and straightforward integration and management of various tools on their website. If corresponding consent has been requested, processing occurs exclusively based on Article 6(1)(a) GDPR and § 25(1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting) under the TDDDG. Consent can be revoked at any time.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States that aims to ensure compliance with European data protection standards for data processing in the U.S. Every company certified under the DPF commits to adhering to these data protection standards. You can find more information from the provider at the following link:

https://www.dataprivacyframework.gov/participant/5780

This website uses features of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics allows the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, session duration, operating systems used, and the user's origin. These data are compiled into a user ID and assigned to the respective end device of the website visitor.

Additionally, Google Analytics can record your mouse and scroll movements as well as clicks. Furthermore, Google Analytics uses various modeling approaches to supplement the collected data sets and employs machine learning technologies for data analysis.

Google Analytics uses technologies that enable user recognition for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is generally transferred to a Google server in the USA and stored there.

The use of this service is based on your consent according to Article 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here:

https://privacy.google.com/businesses/controllerterms/mccs/

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States that ensures compliance with European data protection standards for data processing in the U.S. Every company certified under the DPF commits to adhering to these data protection standards. More information is available from the provider at the following link:

https://www.dataprivacyframework.gov/participant/5780

IP Anonymization

Google Analytics IP anonymization is activated. This means that Google shortens your IP address within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission to the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website usage and internet usage to the website operator. The IP address transmitted by your browser within the scope of Google Analytics is not merged with other Google data.

Browser Plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link:

https://tools.google.com/dlpage/gaoptout?hl=en

More information on how Google Analytics handles user data can be found in Google's privacy policy:

https://support.google.com/analytics/answer/6004245?hl=en

Data Processing Agreement

We have entered into a data processing agreement with Google and fully implement the strict requirements of German data protection authorities when using Google Analytics.

This website uses Hotjar. The provider is Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (Website).

Hotjar is a tool for analyzing your user behavior on this website. With Hotjar, we can record your mouse and scroll movements as well as clicks. Hotjar can also determine how long you hovered over a specific area with your mouse. Using this information, Hotjar creates heatmaps that show which areas of the website visitors prefer to view.

Furthermore, we can determine how long you stayed on a page and when you left it. We can also identify at what point you abandoned your entries in a contact form (so-called conversion funnels).

Additionally, Hotjar allows us to collect direct feedback from website visitors. This function serves to improve the website offerings of the operator.

Hotjar uses technologies that enable user recognition for analyzing user behavior (e.g., cookies or device fingerprinting).

If consent has been obtained, the use of the above-mentioned service is based solely on Article 6(1)(a) GDPR and § 25 TDDDG. Consent can be revoked at any time. If no consent has been obtained, the use of this service is based on Article 6(1)(f) GDPR; the website operator has a legitimate interest in analyzing user behavior to optimize both its website offerings and its advertising.

Disabling Hotjar

If you want to disable Hotjar data collection, click the following link and follow the instructions provided:

https://www.hotjar.com/policies/do-not-track/

Please note that Hotjar must be disabled separately for each browser and device.

Further information about Hotjar and the collected data can be found in Hotjar’s privacy policy at the following link:

https://www.hotjar.com/privacy

Data Processing Agreement

We have entered into a data processing agreement (DPA) for the use of the aforementioned service. This is a legally required contract that ensures Hotjar processes the personal data of our website visitors only according to our instructions and in compliance with GDPR.