Data protection
Data protection notice
XO Life GmbH (“XO Life”, “we”, “us”, “our”) protects your privacy and your private data. This data protection notice serves to inform you about how we handle your personal data when you visit our website (www.britehealth.com) and app (brite) that are related to the use of our brite Platform (hereinafter “brite Platform” or “Platform”) deal with data that can be related to you personally, e.g. name, e-mail address (hereinafter also referred to as “Personal Data”), but also information about your visit and use of the Platform as well as data about your health, e.g. data about medical products used, your therapies, illnesses, etc. (hereinafter also referred to as “Health Data”).
1. Controller
The controller for the collection and processing of your Personal Data within the meaning of Art. 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is:
XO Life GmbH
Agnes-Pockels-Bogen 1
80992 Munich
Email: info@xo-life.com
Telephone: +49 (0) 89 2154 7481
Further information about us can be found in the Imprint.
For processing within the brite Platform, specifically within the general brite space and the product- and therapy-specific spaces (see clause 3), we are, in some instances, “joint controllers” within the meaning of Art. 26 GDPR along with the provider of the medication, medical device, dietary supplement, cosmetic product or other medical product (hereinafter “Product”) or the therapy or illness for which the respective “Product and Therapy Space” is set up. “Providers” in this sense include, for example, pharmaceutical companies, medical device manufacturers or distributors, other companies in the healthcare and life sciences industry, members of medical professions as well as the organizations in which they are employed, self-help groups or research institutions. The respective Product and Therapy Space indicates who the Provider is.
As joint controllers in accordance with Art. 26 GDPR, we are jointly responsible for the processing of your data for the processing procedures mentioned in clause 3. To safeguard your rights and in accordance with the provisions of the GDPR, we have concluded an agreement with the respective Provider that sets out rules for our joint processing of your Personal Data. We have agreed on how we will ensure your rights and defined how we will jointly fulfill our obligations under the GDPR. XO Life GmbH is available to you as a point of contact, in particular for the assertion of your rights under clause 8 of this data protection notice. However, you can contact any of the jointly responsible parties.
2. Data protection officer
If you have any questions regarding the processing of Personal Data by XO Life, you can contact our data protection officer:
XO Life GmbH
Data Protection
Agnes-Pockels-Bogen 1
80992 Munich
E-Mail: datenschutz@xo-life.com
3. Data processing when visiting and using the brite Platform
You can add and use various treatment spaces on the brite Platform. We provide you with a general space called “brite”. You can add other spaces that are appropriate and relevant to you, depending on the Products you use or your therapies or illnesses. These include Product- and therapy-specific spaces that have been set up at the request of a Provider for a specific Product or therapy or illness. As a user of the Product or as a patient receiving the therapy or in the case of the relevant illness, you have the option of adding and using the corresponding Product and Therapy Space in the brite Platform.
3.1 Log files
In order to provide our Platform and ensure its functionality, the web server automatically records data in “server-log files” while using the Platform. When using the Platform in the web-server, the following data is processed: browser type and version, app version, the operating system used by the end device, the IP address of the requesting end device, the date and time of the server request, the duration of the stay on the Platform, the amount of data transferred, the location from which the user accesses data from the Platform, connection data and sources and from which website the access occurs.
Less data is processed in the brite Platform than in the web server, namely the following data: browser type and version, app version, the operating system used by the device, the IP address of the requesting device in anonymized form (192.168.1.1 becomes 192.168.1.x), the date and time of the server request and the amount of data transferred. Anonymized log files are not deleted.
Purpose
This data is processed for the purpose of providing our Platform and for statistical evaluations, as well as for the purpose of identifying and tracing unauthorized access to the Platform and any criminal activity.
Legal basis and legitimate interest
The legal basis for data processing is Art. 6(1) sentence 1 f) GDPR. Our legitimate interests consist of ensuring IT security and operation, as well as the statistical evaluation of our website.
Recipient
The recipients of the data are our hosting service providers.
Storage period
Log file information is stored for a maximum of one month from the end of your respective Platform visit and then deleted.
Right to object
Data processing is necessary for the security and operation of the Platform. You can exercise your right to object to further, future data processing by not accessing our Platform any longer.
Obligation to provide data
The provision of the aforementioned Personal Data is not required by law or by contract. However, without the provision, the service and functionality of our Platform cannot be guaranteed. In addition, individual services may not be available or may be restricted.
3.2 General information on cookies
Cookies are small text files that enable the storage of individual user data, in particular the identification of the user's device. When you use the Platform, cookies are stored on your end device. Cookies can transfer information from our server or third-party servers to the user's web browser or apps, where it is stored for later retrieval. A cookie usually contains the name of the domain from which the cookie data was sent, as well as information about the age of the cookie and an alphanumeric identifier.Purpose
We use cookies to ensure the proper functioning of the Platform and to optimize your user experience.
Legal basis and legitimate interest
The legal basis for data processing is Art. 6(1) sentence 1 f) GDPR. Our legitimate interests lie in the technical provision and the guarantee of the operation of our website and IT security as well as in the optimization of the presentation of our offer and direct marketing measures.We do not process Personal Data on our Platform in connection with analysis or tracking for which we require your consent in accordance with Art. 6(1) sentence 1 a) GDPR.
Recipients
We only pass on your data to our IT and hosting service providers for a specific purpose – if at all necessary – and only to the extent necessary, in addition to the transfers described below.
Storage period
We store the data for as long as it is needed to fulfill the aforementioned purpose or until you delete the cookies.
Right to object
Insofar as the data processing is based on the legal basis of Art. 6(1) sentence 1 f) GDPR, you may object to the data processing. You can exercise your right to object by configuring your browser according to your preferences, for example, so that no third-party cookies or no cookies in general are stored or so that a message always appears before a new cookie is created. In addition, cookies that have already been stored can be deleted at any time via the browser settings.
The following links will show you how to configure cookies for the most common browsers:
Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
Chrome: https://support.google.com/chrome/answer/95647?hl=de&hlrm=en
Safari: https://support.apple.com/de-de/guide/safari/sfri11471/17.0/mac
Opera: https://help.opera.com/de/latest/web-preferences/#cookies
Obligation to provide data
The provision of your Personal Data is not required by law or by contract. However, if you do not provide the data, the service and functionality of our Platform cannot be guaranteed. In addition, individual services may not be available or may be restricted.
3.3 Cookie settings by consentmanager
On our website, we use consentmanager, a cookie banner solution from the Händlerbund. The service provider is the German company Händlerbund Management AG, Torgauer Str. 233, ArcuSpark/House B, 04347 Leipzig, Germany (hereinafter consentmanager). Among other things, the consentmanager offers us the option of providing you with a comprehensive and privacy-compliant cookie notice so that you can decide for yourself which cookies you allow and which you do not. By using this software, data from you is sent to consentmanager and stored. The consentmanager is software that scans our website and identifies and categorizes all existing cookies. In addition, as a website visitor, you are informed about the use of cookies via a cookie notice script and decide for yourself which cookies you allow and which you do not.
Purpose
We want to offer you maximum transparency in the area of data protection. To ensure this, we first need to know exactly which cookies have ended up on our website over time. Because consentmanager's Consent Manager regularly scans our website and finds all cookies, we have full control over these cookies and can therefore act in compliance with GDPR. This allows us to provide you with detailed information about the use of cookies on our website. In addition, you will always receive an up-to-date and privacy-compliant cookie notice and decide for yourself via the checkbox system which cookies you accept or block.
Legal basis
If you accept cookies, these cookies will process and store your personal data. If we are allowed to use cookies with your consent (Article 6 (1) (a) GDPR), this consent is also the legal basis for using cookies or processing your data. The consentmanager is used to be able to manage your consent to cookies and to enable you to give your consent. The use of this software enables us to efficiently operate the website in a legally compliant manner, which represents a legitimate interest (Article 6 (1) (f) GDPR).
Storage period
All data collected by the consentmanager is transferred and stored exclusively within the European Union. The collected data is stored on consentmanager's servers at Hetzner GmbH in Germany. Only the German company Händlerbund Management AG has access to this data.
Objection option
You have the right to access and delete your personal data at any time. You can prevent data collection and storage, for example, by refusing the use of cookies via the cookie settings dialog. Your browser offers another option to prevent data processing or to manage it according to your wishes. Depending on the browser, cookie management works a bit differently. You can find out more about the data that is processed by using consentmanager in the privacy policy of Consentmanager.
3.4 Using Google Tag Manager
For our website, we use Google Tag Manager from Google Inc. For Europe, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This tag manager is one of many helpful marketing products from Google. Google Tag Manager allows us to centrally integrate and manage code sections from various tracking tools that we use on our website.
Purpose
Google Tag Manager is an organizational tool that allows us to integrate and manage website tags centrally and via a user interface. Tags are small sections of code that record (track) your activities on our website, for example. For this purpose, JavaScript code sections are used in the source code of our site. The tags often come from Google's internal products such as Google Ads or Google Analytics, but tags from other companies can also be integrated and managed via the manager. Such tags perform different tasks. You can collect browsing data, feed marketing tools with data, include buttons, set cookies and also track users across multiple websites.
Legal basis
The use of Google Tag Manager requires your consent, which we must have obtained through our cookie settings dialog before your data is processed. If you agree to the cookies, these cookies will process and store your personal data. If we are allowed to use cookies with your consent (Article 6 (1) (a) GDPR), this consent is also the legal basis for using cookies or processing your data. In addition to consent, we have a legitimate interest in analyzing the behavior of website visitors and thus improving our offer both technically and in terms of content. With the help of Google Tag Manager, we can improve our profitability. The legal basis for this is Article 6 (1) (f) GDPR.
Storage period
Google Tag Manager stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID, which can be used to recognize you when you visit the website in the future. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data will be stored indefinitely in aggregate form. You can find out more about this in the privacy policies from Google.
Objection option
If you do not agree with the collection, you can prevent this by installing the browser add-on once to deactivate Google Analytics or by rejecting cookies via our cookie settings dialog. You therefore have the right to access and delete your personal data at any time. Your browser offers another option to prevent data processing or to manage it according to your wishes. Depending on the browser, cookie management works a bit differently. Under the “Cookies” section, you will find the corresponding links to the respective instructions of the most popular browsers.
3.5 Stability testing and monitoring by Sentry
We use the Sentry tool provided by Functional Software, Inc., 132 Hawthorne Street, San Francisco, California 94107, USA (“Sentry”) to improve the technical stability of our service by monitoring system stability and detecting code errors. Sentry is used to collect information about crashes and malfunctions of our services on your device. Your IP address is collected only in abbreviated form and transmitted to Sentry's servers together with technical data from the device (such as operating system version, screen resolution, device ID). Sentry is committed to complying with the EU-US Privacy Shield Agreement between the EU and the US on the collection, use and retention of Personal Data from EU member states, as evidenced by its EU-US Privacy Shield-Certification at the US Department of Commerce.
Purpose
We use Sentry to monitor system stability and detect code errors.
Legal basis and legitimate interest
Data processing is carried out on the basis of our legitimate interest in accordance with Art. 6(1) sentence 1 f) GDPR. Our legitimate interest lies in creating a website that works as error-free as possible and in maintaining the security and stability of our website. The anonymization of the IP address sufficiently takes into account the user's interest in the protection of his Personal Data.
Recipient / Transfer to third country
In the event of an error message, your data may be transferred to and stored on Sentry servers outside the EU, in particular in the US. The transfer is secured by a commissioned data processing agreement. Information on data protection at Sentry can be found here: https://sentry.io/privacy/.
Storage period
Data is stored only for as long as is necessary for the (error) analysis of your specific access.
Right to object
Data processing is necessary for the security and operation of the Platform. You can exercise your right to object to further, future data processing by not accessing our Platform any further.
Obligation to provide data
The provision of your data is voluntary. However, it is not possible to visit our website without us performing an error analysis.
3.6 Website creation and hosting (Webflow)
We host our website with Webflow. The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as Webflow). When you visit our website, Webflow collects various log files including your IP addresses.
Purpose
Webflow is a tool for creating and hosting websites.Webflow stores cookies or other recognition technologies that are required to display the page, to provide certain website functions and to ensure security (necessary cookies).
Storage data
Webflow does not collect any further cookies without your consent. This is entirely up to you and can be set by you via the cookie settings on the website. For details on Webflow's cookies, please refer to Webflow's privacy policy: EU & Swiss Privacy Policy (Webflow).
Legal basis
The use of Webflow is based on Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time. A transfer to the USA is protected by the contractual clauses of the EU Commission in compliance with the GDPR. Details can be found here: EU & Swiss Privacy Policy in (Webflow).
Order processing
We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that this provider only processes personal data from our website in accordance with our instructions and in compliance with the GDPR.
3.7 Web analysis (Matomo)
We use the open-source software “Matomo” provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, to analyze and statistically evaluate the use of the platform (“Matomo”). Matomo sets a cookie on the user's device. This records three bytes of the IP address, the page accessed, the “referrer URL” (the website from which the user accessed the page visited), sub-pages visited, the duration and the frequency of visits to the Platform. When you visit, Matomo records a “device fingerprint”: This involves retrieving information about your browser, the operating system you are using and any “do-not-track”- settings. In addition, location, time and audio settings, screen resolution or installed browser plugins can be recorded. The device fingerprint data is anonymized. Matomo runs only on our Platform's servers. The collected information is only stored there. We have configured Matomo so that the IP address is not stored in full and the last byte is masked (e.g. 192.168.1.x). It is no longer possible to assign the abbreviated IP address to you or your end device.
Purpose
The information is used to evaluate the use of the Platform and to enable us to design our offers in line with requirements and to optimize them.
Legal basis
The legal basis for this processing is Art. 6(1) sentence 1 f) GDPR. Our legitimate interest lies in analyzing your activities on the Platform in order to optimize our offering. The anonymization of the IP address sufficiently protects the user's interest in the protection of his or her Personal Data.
Recipients
Our Platform, including Matomo, is provided by our hosting service providers that carry out the commissioned data processing in accordance with Art. 28 GDPR. The information is not passed on to third parties as we store the data locally.
Storage period
The cookies are stored for up to one year.
Right to object
You can prevent the collection of data generated by the cookie and related to your use, as well as the processing of this data by Matomo, by configuring your browser or end device accordingly.
Obligation to provide your data
You provide your data on a voluntary basis. Please note that if you object to the use of Matomo, you may not be able to use the website or may only be able to use it to an extent.
3.8 Web analysis (Google Analytics)
We use Google Analytics to analyze website usage. The data obtained from this is used to optimize our website and advertising measures. Google Analytics is provided to us by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google processes website usage data on our behalf and is contractually committed to measures to ensure the security and confidentiality of the processed data.
During your visit to the website, the following data, among others, is transmitted to Google:
- Pages viewed
- The achievement of “website goals” (e.g. contact requests and newsletter registrations)
- Your behavior on the pages (e.g. time spent, clicks, scroll depth)
- Your approximate location (country and city)
- Your Internet address (IP address)
- Technical information such as browser, Internet provider, device and screen resolution
- Source of origin of your visit (i.e. via which website or advertising medium you came to us)
- A randomly generated user ID
No personal data such as name, address or contact details is transferred to Google Analytics. This data is transferred to Google servers in the USA. We would like to point out that the same level of data protection protection cannot be guaranteed in the USA as within the EU. Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID, which can be used to recognize you when you visit the website in the future. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data will be stored indefinitely in aggregate form. You can find out more about this in the privacy policies from Google. If you do not agree with the collection, you can prevent this by installing the browser add-on once to deactivate Google Analytics or by rejecting cookies via our cookie settings dialog.
3.9 Web analysis (Microsoft Clarity)
We use Microsoft Clarity to analyze and improve the use of our website. The data obtained helps us to optimize and market our products and services as well as our website in a targeted manner. Microsoft Clarity is provided to us by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA). Microsoft processes website usage data on our behalf and is contractually committed to ensuring the security and confidentiality of the processed data.
During your visit to the website, the following data, among others, is transmitted to Microsoft:
- Pages viewed
- Your behavior on the pages (e.g. clicks, scroll depth, length of stay)
- Behavioral metrics, heat maps, and session recordings
- Technical information (e.g. browser type, operating system, device type, screen resolution)
- Your approximate location (country and city)
- Your Internet address (IP address)
- Technical information such as browser, Internet provider, device and screen resolution
- Source of origin of your visit (i.e. via which website or advertising medium you came to us)
- A randomly generated user ID
Microsoft Clarity uses cookies and other tracking technologies to collect data. This data is also used for website optimization, fraud prevention and security, as well as for advertising purposes. Please note that the data collected may be transferred to Microsoft servers in the USA. For more information about how Microsoft processes your data, please see Microsoft privacy statement. If you do not agree to the collection and processing of your data by Microsoft Clarity, you can reject it by making appropriate settings in our cookie settings dialog.
3.10 Push notifications by OneSignal
We use technology provided by OneSignal, 201 San Antonio Circle Suite #140, Mountain View, CA, USA, to send push notifications to our brite app. OneSignal has committed itself to complying with the EU-US Privacy Shield Agreement between the EU and the US on the collection, use and retention of personal data from EU member states by means of an EU-US Privacy Shield-Certification at the US Department of Commerce. We do not send any Personal Data to OneSignal. The IP address of the device/browser from which users in the EU visit the Platform is not collected by OneSignal.In order to send you push notifications, it is necessary for non-Personal Data, such as a message, to be transmitted to the OneSignal servers. Data collected by the OneSignal Software Development Kits (SDK) includes the following: First session time, last session time, the operating system of the device/browser, the language that the device/browser reports, whether push notifications are enabled or disabled on the device/browser, the version of the application that the user ran in the last session, the name of the mobile application, the mobile provider used by the device, and the model name of the device/browser. Furthermore, we send usage-related data, for example the timestamp of when a questionnaire has been filled out, to OneSignal in the form of a tag. We use this data to send you push notifications that are as relevant and tailored to you to the greatest extent possible. More information can be found here.
Purpose
After you first log in to your account, we will ask for your consent to receive push notifications on your smartphone. We send push notifications to alert you to our offers or news. Consent is given for each device. If you give your consent, you will receive regular push notifications by our app.Legal basisThe legal basis for the use of push notifications is your consent (Art. 6(1) sentence 1 a) GDPR).
Recipient
The above data relating to the creation of segments for sending push notifications is sent to OneSignal in the form of a tag.
Storage period
Recordings of notifications sent via the OneSignal API are deleted approximately 30 days after delivery.
Option to withdraw consent
You have the option to deactivate push notifications at any time if you no longer wish to receive them. You can deactivate push notifications in your smartphone settings.
Obligation to provide your data
The provision of your data is voluntary. We would like to point out that if you object to the use of push notifications, you will not be able to use some features or will not be able to use them to their full extent. An example of this is the reminder function for taking tablets (also known as a “pill reminder”).
3.11 Registration of a user account
In order to be able to use the brite Platform, you must register as a user by creating a user account. Registration is done via the brite general space or a Product and Therapy Space. A user account allows you to use the entire brite Platform, including all other spaces that you (optionally) add over time. For registration, we process your e-mail address and the password you have chosen. You can add information to your user account as you continue to use the service. This includes demographic data (e.g. gender, age, weight, height) and data on Products used as well as your therapies or illnesses, to the extent that you provide information on them.
Purpose
The data is processed in order to create your user account on the brite Platform in accordance with the user agreement made with you.
Legal basis
The legal basis for the data processing is Art. 6(1) sentence 1 b) GDPR, as we require the data for the purpose of fulfilling the user agreement with you. If we process Health Data within the meaning of Art. 4 No. 15 GDPR, specifically, for example, data on Products used, your therapies or illnesses, the legal basis for this is your explicit consent in accordance with Art. 9(2) a) GDPR.
Recipient
Your data will be passed on to our IT service providers as part of processing in accordance with Art. 28 GDPR to the extent that is necessary.
Storage duration
We process your data until you revoke your consent by deleting your user account.
Option to withdraw consent
You have the option at any time to freely withdraw your consent by deleting your user account in its entirety.
Obligation to provide your data
There is no legal requirement to provide your data. However, if you do not provide us with your data, it will not be possible to create your user account.
3.12 Using the brite Platform features
As a registered user, you have the option to use the various features of the brite Platform. You can add information about the Products you use or your therapies or illnesses. You can add Product and Therapy Spaces based on your information. Based on your information, the brite general space and the Product and Therapy Space will suggest suitable questionnaires (so-called scientifically standardized or individual question sets) which can be answered by you. This way, you can receive information about the experiences other users have had with similar Products, therapies or illnesses (“peer statistics”). In the brite Platform, you also have the option to report side effects of the medication you are taking.
We process your activities in the brite Platform to show you your progress in our Achievement-Program and to reward you with points from our points system, discounts, coupons, or other gifts or benefits. In addition, you will receive information and content that is relevant or interesting to you via message (e.g. push notification or email) concerning Product and Therapy Spaces, the Products you use or your therapies or illnesses, as well as messages concerning your health interests in publisher channels and in the Product and Therapy Spaces of Providers and on interactions of different Products (“interaction check”). Finally, you have the opportunity to communicate with us, Providers or other users (“community”) and to receive medical support from Providers, for example in the form of chats, telemedicine or similar services, by making use of existing interaction functions.
Purpose
We process your data to enable you to use the various functions of the brite Platform.
Legal basis
If we process your Health Data within the meaning of Art. 4 No. 15 GDPR, the legal basis for this is your explicit consent in accordance with Art. 9(2) a) GDPR. For other data, the legal basis for data processing is Art. 6(1) sentence 1 b) GDPR, as we process the data for the purpose of fulfilling the user contract with you.
Recipients
Your data will be forwarded to our IT service providers as part of processing in accordance with Art. 28 GDPR to the extent that is necessary. If you use the interaction functions, the persons to whom you send messages can view the data transmitted in the message. Other registered users can see your public reactions or comments.
Storage period
We process your data until you withdraw your consent by deleting your user account.
Option to withdraw consent
You have the option at any time to freely withdraw your consent by deleting your user account in its entirety.
Obligation to provide your data
There is no legal obligation to provide your data. However, if you do not provide us with your data, not all functions of the brite Platform may be available to you. Without providing your Health Data, you will not be able to obtain the Peer Statistics and the features of monitoring health progress and personalized display of medical and health-related content and suitable Product and Therapy Spaces will not be available.
3.13 Pseudonymization and anonymization
We pseudonymize and anonymize your personal Health Data from your user account and the Health Data that you have provided in response to questionnaires (see clause 3.7). Pseudonymisation is the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
During anonymization, your data is modified in such a way that it can no longer be linked to you or can be linked to you only with disproportionate technical effort.
However, pseudonymization and anonymization of your data can never completely rule out the possibility of information about you being linked to you at a later point in time from other sources, e.g. information that you provide on social media. Therefore, there is always a residual risk that information can be traced back to you. This applies particularly for example if you publish genetic or other Health Data on the internet yourself, e.g. for genealogical research. Should your data fall into unauthorized hands despite extensive technical and organizational protective measures and should it then be possible to trace it back to you despite the lack of name-related information, the possibility of discriminatory or otherwise harmful use of the data against you and possibly against close relatives cannot be ruled out.
Purpose
We anonymize your data for statistical purposes, primarily to provide you with statistical evaluations in the form of Peer Statistics (see Section 3.7). We also use anonymized data for our own statistical purposes, primarily for Product improvement, as well as to provide anonymized overviews to Providers (see Section 3.9).We pseudonymize your data, also for our own statistical purposes, primarily to analyze it for Product improvement and to be able to provide it to the Providers relevant to you (see clause 3.9).
Legal basis
The legal basis for the pseudonymization and anonymization and analysis of your Health Data within the meaning of Art. 4 No. 15 GDPR for the stated purposes is your explicit consent in accordance with Art. 9(2) a) GDPR.
Recipients
Your data will be passed on to our IT service providers as part of processing in accordance with Art. 28 GDPR to the extent that is necessary.
Storage duration
We only process your data until you withdraw your consent by deleting your user account. We cannot delete anonymized data because it can no longer be linked to you.
Option to withdraw consent
You have the option to freely revoke your consent at any time by deleting your user account in its entirety.
Obligation to provide your data
There is no legal obligation to provide your Health Data. However, if you do not provide us with your data, not all services of the brite Platform may be available to you. Without providing your Health Data, you cannot receive the Peer Statistics and the features of monitoring the health history as well as the personalized display of medical and health-related content and suitable Product and Therapy Spaces are not available.
3.14 Merging and transfer of data to Providers
As a user of the brite Platform, you are a user of a Product or a patient undergoing therapy or suffering from a specific illness. Providers are interested in the (health) data you provide when using the brite Platform, in particular when answering questions (see clause 3.7), e.g. to conduct market research, to carry out or validate Product safety checks or for scientific research purposes. In order to offer you the free features of the brite Platform, we therefore only pass on your data, including adverse reaction reports, to Providers in pseudonymized and anonymized form (see Section 3.8). We ensure that Providers cannot identify you and/or personally assign the transmitted data to you.If you use one or more Product and Therapy Spaces in the brite Platform, your data from the general brite space and, depending on the consent of the respective Provider, the Product and Therapy Space(s) in question, will be merged before transmission in order to provide Providers with a more comprehensive picture of the use of their Products or therapies and thus increase user safety. Providers will still not be able to identify you. You will not benefit from any commercial benefits that may arise from the processing of your data.
Purpose
We process your pseudonymized and anonymized (health) data in order to transmit it to Providers.
Legal basis
The legal basis for the processing of your Health Data within the meaning of Art. 4 No. 15 GDPR for this purpose is your explicit consent in accordance with Art. 9(2) a) GDPR.
Recipients
Recipients of your data in the context of processing in accordance with Art. 28 GDPR are our IT service providers and in other instances the Providers for whom your data is important, in countries of the European Union or the European Economic Area or in other countries where the European Commission has established an adequate level of data protection.
Storage duration
We only transmit your data until you withdraw your consent by deleting your user account. We cannot delete anonymized data because it can no longer be linked to you.
Option to withdraw consent
You have the option to freely withdraw your consent at any time by deleting your user account in its entirety.
Obligation to provide your data
There is no legal obligation to provide your data. However, if you do not provide us with your data, you may not be able to access all the features of the brite Platform. Without providing your Health Data, you will not be able to obtain the Peer Statistics and the features of monitoring health progress and personalized display of medical and health-related content and suitable Product and Therapy Spaces will not be available.
3.15 Messages
Under certain circumstances, we will send you e-mails to introduce you to our Products and services or new offers and features of the Platform that may be of interest to you, to give you a small treat in the form of a voucher, or to find out how satisfied you are with the brite Platform. You will receive these marketing e-mails without the need for consent if we receive your e-mail address from you during registration of a user account and you have not objected to marketing e-mails. In this case, we may send you messages about our services that are similar to or relate to the services you have used. If you give your consent in your system or device settings, we will also send you messages using push and browser notifications in the brite Platform. If you have given your consent to the processing of your Health Data for marketing purposes, we can send you messages tailored to your needs, e.g. about new Product and Therapy Spaces.
Purpose
We send you messages for the purpose of direct marketing to inform you about our offers and services.
Legal basis and legitimate interest
The legal basis for the processing of your data in order to send the e-mails for which we do not require consent is Art. 6 (1) f) GDPR. Our legitimate interests lie in sending you advertising in the form of direct marketing. Your interests are protected by the contractual relationship between you and us, the information provided by us in this data protection notice, and your option to unsubscribe from email notifications at any time with a single click at the end of the email if you are no longer interested.The legal basis for push and browser notifications is your consent in accordance with Art. 6(1) a) GDPR.The legal basis for the processing of your Health Data is your explicit consent in accordance with Art.9 (2) a) GDPR.
Recipient
We pass on your data to our IT service providers as processors in accordance with Art. 28 GDPR for specific purposes, if at all necessary and only to the extent necessary.
Storage period
Your data will be stored for the purpose of sending messages for as long as they are needed for this purpose or until you object to the processing of your data for this purpose or withdraw your consent.
Right to object/withdraw consent
You can unsubscribe from our e-mails at any time. For this purpose, there is an opt-out link in every advertising e-mail. You can disable push and browser notifications in your device or system settings.
Obligation to provide your data
We receive your e-mail data as part of the contractual relationship between yourself and us. It is not possible to create a user account without providing this data. However, you can object to the processing of your data for the purpose of sending e-mails at any time in accordance with the above information. Consent to receive push and browser notifications is voluntary.
4. Data processing when contacting us by email or telephone
You can contact us using the email addresses and telephone numbers provided by us. If you make use of this option, your Personal Data transmitted by email or telephone will be processed.
Purpose
We process your data for the purpose of processing your request.
Legal basis and legitimate interest
If the purpose of the contact is to conclude a contract or if your contact concerns an existing contract, Art. 6(1) b) GDPR is the legal basis for the processing. The legal basis for the processing of your data in other cases is Art. 6(1) f) GDPR. In these cases, the legitimate interest arises from the fact that we can only carry out the action you have requested (e.g. answering questions) by processing your data accordingly.
Recipient
When processing your request, your data will be transmitted to our IT service providers as processors in accordance with Art. 28 GDPR and to our employees who process your request.
Storage period
We store your data until your request has been fully answered.
Right to object
The processing of your data is necessary for handling your request. You can prevent us from collecting your data by not sending us a request.
Obligation to provide your data
There is no legal obligation to provide your data. However, if you do not provide us with your data, it may not be possible to contact us at all or only by certain means of communication.
5. Data security
While you are visiting our Platform (clause 3), we use the common TLS (Transport Layer Security) method in conjunction with the highest level of encryption supported by your browser or operating system. We use HTTP Strict Transport Security (HSTS) and automatic forwarding to ensure that all communication on and via our Platform is transmitted in encrypted form. You can recognize this by the closed display of the key or lock symbol in the lower status bar of your browser. When data is stored, it is protected on the storage medium using modern encryption methods. We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.We maintain the highest security standards, particularly in connection with the processing of your data in the brite Platform (clauses 3.6-3.10). In addition to the pseudonymization and anonymization of the data (clause 3.8), our servers are hosted in ISO 27001 certified data centers in Germany.Despite the high data security standards we have implemented, unfortunately a residual risk to the security of your Personal Data cannot be ruled out completely.
6. Transfer to a “third country”
Unless otherwise stated in this data protection notice, we do not transfer your data to countries outside the European Economic Area.
7. How long we store your Personal Data
Unless a shorter storage period is specified in the other provisions of this data protection notice, we will only store your Personal Data for as long as is necessary to fulfill the respective purposes, and thereafter only to the extent that we are obliged to do so due to mandatory statutory retention requirements. If we no longer need your data for the purposes described in this data protection notice, it will be stored only for the duration of the respective statutory retention period and will not be processed for other purposes.
8. Your rights
If we process your Personal Data, you have the following rights in relation to us:
8.1 Right of access
You have the right to request confirmation from us as to whether Personal Data concerning your person is being processed by us. If such processing is taking place, you can request information from us about the data listed in Art. 15 GDPR. If you exercise your right without telling us what specific information you want, you will receive all the information from us that listed in Art. 15 GDPR.
8.2 Right to rectification
You have the right to request that we rectify or complete your Personal Data if the processed Personal Data concerning you is incorrect or incomplete.
8.3 Right to restriction of processing
You have the right to request that the processing of your Personal Data be restricted under the following conditions:
- If you dispute the correctness of your Personal Data. This applies to a period of time that allows us to verify the accuracy of your Personal Data.
- The processing is unlawful. You refuse to allow the deletion of your Personal Data and instead request that the use of your Personal Data be restricted.
- We no longer need your Personal Data for the purposes of processing. However, you need it to assert, exercise or defend legal claims.
- If you have objected to processing in accordance with Art. 21 (1) GDPR and it is not yet certain whether our legitimate reasons for further processing outweigh your reasons to restrict processing. Where processing of Personal Data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural person or legal entity or for reasons of important public interest of the European Union or of a Member State.
If the processing has been restricted in accordance with the conditions stated above, we will inform you before the restriction is to be lifted.
8.4 Right to erasure
8.4.1 Erasure obligation
You have the right to request that we erase the Personal Data concerning you without undue delay. We are obliged to erase this data without undue delay if one of the reasons listed in Art. 17 GDPR applies. Anonymized data cannot be erased.
8.4.2 Information to third parties
If we have made the Personal Data concerning you public in individual cases and we are obliged to delete it in accordance with Art. 17(1) GDPR, we will take appropriate measures, including technical ones, taking into account the available technologies and the implementation costs, to inform those responsible for data processing who process the Personal Data that you, as the data subject, have requested the deletion of all links to this Personal Data or of copies or replications of this Personal Data. However, we do not generally make your Personal Data public.
8.4.3 Exceptions
The right to erasure does not apply to the extent that processing of the Personal Data concerning you is necessary:
- in order to exercise the right of freedom of expression and information;
- in order to comply with a legal obligation which requires processing by EU or German law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons that are of public interest in the area of public health in accordance with Art. 9(2) h) and i) as well as Art. 9(3) GDPR;
- for archiving purposes that are of public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR to the extent to which the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- to establish, exercise or defend legal claims.
8.5 Right to information
If you have asserted the right to rectification, erasure or restriction of the processing of your Personal Data towards us, we are obliged to communicate this rectification or erasure of data or restriction of processing to each recipient to whom your Personal Data has been disclosed. This does not apply if such communication proves impossible or involves disproportionate effort. You have the right to request that we inform you about these recipients.
8.6 Right to data portability
You have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller provided that:
- the processing is based on consent pursuant to Art. 6(1) a) GDPR or Art. 9(2) a) GDPR or on a contract pursuant to Art. 6(1) b) GDPR, and
- the processing is carried out by automated means. If you request it and if it is technically feasible for us and does not adversely affect the freedoms and rights of others, we will transmit the Personal Data concerning you to the other controller directly.
The right to data portability does not apply to the processing of Personal Data necessary for the performance of a task carried out in public interest or in the exercise of official authority vested in us.
8.7 Right to object
You have the right to object to the processing of Personal Data concerning you, which is based on Art. 6(1) e) or f) GDPR, on grounds relating to your particular situation, at any time, including profiling based on those provisions.
We will no longer process the Personal Data concerning you after your objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
Where Personal Data concerning you are processed for direct marketing purposes, you have the right to object to processing of Personal Data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing, at any time.
8.8 Automated individual decision-making, including profiling
Should certain decisions by us be based solely on automated processing, which also includes profiling, you have the right not to be subject to such a decision, should this decision produce legal effects towards you or similarly significantly affect you. However, this does not apply if:
- the decision is necessary for entering into, or the execution of, a contract between yourself and us;
- the decision is admissible under European Union or German law and these legal provisions contain appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
- this form of decision-making is carried out with your explicit consent.
8.9 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of Personal Data relating to you infringes the data protection provisions of the GDPR, among other things.
8.10 Withdrawal of consent
If you have given declarations of consent under data protection law, you have the right to freely withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. If you have given several declarations of consent under data protection law, please let us know which of the declarations of consent you are revoking. If we do not receive such a specification, even upon request, we will assume that your revocation applies to all declarations of consent given up to that point. We will then terminate all data processing activities based on your consent.
9. Links to third-party websites
Please note that our Platforms may contain links to content from other Providers to which this data protection notice does not apply. We have no influence over these websites and no way of knowing whether they comply with the applicable data protection regulations.
10. Updating the data protection notice
Constant developments in technology and the internet make it necessary for us to amend our data protection notice from time to time. We reserve the right to change this data protection information at any time with effect for the future. The current version is available on our Platform. Please visit the Platform regularly and read the current data protection notice.
Last update:
28.01.2025