fbpx

Privacy Policy Leviomed 

Privacy Policy

The protection of your personal data is important to us. According to the EU General Data Protection Regulation (GDPR), we are obliged to inform you about the purpose for which we process personal data (e.g. collect, store or forward). The information also tells you what rights you have in terms of data protection.

 

About LevioMed

Leviomed is a web platform with associated apps that quickly and easily connects patients and physicians worldwide and facilitates online healthcare.

We provide a platform through which patients can submit a treatment request and contact a doctor for a consultation. To this end, we enable digital communication between patient and doctor. In addition, we provide a central online patient file through which patients and doctors can exchange information and store relevant documents centrally. In addition, we support billing between doctor and patient and provide other health-related services.

We do not provide any medical or therapeutic services ourselves. The consultation contract is solely between the patient and the physician.

RESPONSIBILITY FOR DATA PROCESSING

The controller in terms of data protection law is:

Leviomd GmbH

Rainweg 101

69118 Heidelberg

Contact details
Datenschutz@leviomed.com

Tel:Tel:0049622139025650

You can reach our responsible data protection officer at:

Klaus Lange

Oranienstraße 35

65185 Wiesbaden

Tel: +49 611 301299

E-mail: klaus.franz.lange@t-online.de

 

Purposes of data processing

We process your personal data for the following purposes:

  • For the performance of a  contract (Art. 6 para. 1 lit. b GDPR): For this purpose, we absolutely need your name, address and important contact data such as telephone number and e-mail address for ongoing communication. Without this information, we are not able to conclude the contract with you or to execute it. If we already request personal data from you before a contract is concluded, we process this data to initiate the contract (Art. 6 para. 1 lit. b GDPR). This is necessary, for example, in the context of preparing an offer.
  • In compliance with a  legal obligations (Art. 6 para. 1 lit. c GDPR) such as commercial and tax retention obligations and invoicing/accounting, but also the assertion, exercise or defense of legal claims.
  • For the purposes of our legitimate interests (Art. 6 para. 1 lit. f GDPR), e.g. maintaining our IT operations and ensuring IT security, insofar as the fundamental rights and freedoms of the data subject do not conflict with this. If you object to data processing for advertising purposes, we also maintain a blacklist to ensure that your objection can also be taken into account when restoring backups.
  • For the purpose of fulfilling your consent (Art. 6 para. 1 lit. a GDPR)

If we want to process personal data for a purpose not mentioned above, we will inform you in advance within the framework of the legal provisions.

Legal basis and storage period

The data we process will be deleted as soon as it is no longer necessary for the purpose of its processing, unless deletion is not possible due to legal retention periods and further processing is mandatory pursuant to Article 6 (1) (c) GDPR or you have given us your consent to store your data beyond this pursuant to Article 6 (1) (a) GDPR or it is necessary for the establishment, exercise or defense of legal claims pursuant to Article 17 (3) (e) GDPR.

Recipients of your data

Within our company, only those entities will have access to your personal data that need it to fulfill the above-mentioned purposes.

Other recipients of your personal data may be: Order processors (e.g. IT service providers/software manufacturers, data/shredders), tax consultants, banks, postal and parcel services, tax/auditors, external data protection officers, insurance companies, telecommunications providers.

Possible recipients in the event of legal disputes may include: associations, lawyers, debt collection service providers, public prosecutors, courts, bailiffs or other authorities.

 

 

 

 

Overview of processing

The following overview summarizes the categories of data processed, the purposes of the processing and the data subjects.

Types of data processed

  • Personal master data:Title, gender, Date of birth, Addresses ,first name, last name, company name if applicable, professional activity)
  • Content data (e.g. text entries, photographs, videos, medical documents)
  • Contact data: (postal address,. e-mail, telephone numbers)
  • Meta/communication data: (e.g. device information, IP addresses)
  • Usage data: (e.g. web pages visited, interest in content, access times)
  • Access data: Date and time of visit to our service.
  • Appointment Data: Date and time of a selected, specific appointment

Categories of data subjects

  • Communication partners
  • Patients (documents see above)
  • Users (e.g. website visitors)

Purposes of the processing

  • Provision of the website to Leviomed
  • Contact requests and communication
  • Reach measurement (e.g. number of visitors)

Health data

Health data are special categories of personal data according to Article 9 GDPR. This special category of personal data poses a particular risk to the rights and freedoms of the data subject and therefore requires special protection. Recital 35 GDPR defines health data as follows:

 

Personal health data should include any data pertaining to the health status of a data subject which reveal information about the past, present or future physical or mental health status of the data subject.

 

In the course of using the Leviomed service, we process user (patient) health data. Leviomed GmbH takes the protection of your health data very seriously. Leviomed is an independent platform operator, but not a member of a health profession (e.g. doctor), so that Leviomed GmbH requires the consent of the users (patients) in accordance with Art. 9 (2) lit. a GDPR for the processing of health data for the provision of your services and their billing. The consent can be deleted by you at any time with effect for the future in your customer account under “Settings Account.

 

Origin of your data

As a rule, your personal data is collected directly from you as part of the contract initiation/execution.

The legal basis for this is Art. 6 Para. 1 lit. b GDPR

Are you obliged to provide your data?

Within the scope of our contractual relationship, you must provide those personal data that are required for the establishment, implementation and termination of the contractual relationship and the fulfillment of the associated contractual obligations, or which we are required to collect by law. Without this data, we will not be able to perform the contract with you.

Data transfer to third countries

Note on data transfer to the USA and other third countries

We use, among others, (Agora- Video Calls) from companies based in the USA or other.

Third countries that are not secure under data protection law. If these Agora are active, your

personal data be transferred to these third countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in these countries. For example, US companies are obliged to hand over personal data to security authorities without you as the data subject being able to defend yourself against this in court.

Appointment booking

 

When booking an appointment for a medical consultation, the patient is asked to provide the following data:

 

  • Telephone number, address
  • Fill in current complaints or other questionnaires
  • Need for a prescription, referral, online interpreter
  • Billing address or other payment information such as credit card information
  • Free text for messages to the doctor or clinic

We use the data for patient identification and service provision. The processing of this data is necessary for the implementation of the concluded contract of use. The legal basis for this is Art. 6 para. 1 lit. b GDPR and Art. 9 para. 2 lit. a GDPR.We use the e-mail address of the customer (doctors & patients) for contract-related communication (e.g. queries, appointment reminders). Provided that the patient gives us separate consent, we send e-mail information on health topics and on Leviomed products and services in the health sector.

Registration as a doctor or therapist

In order to use our online platform as a doctor or therapist, we require the following personal data from the doctor:

Personal master data (Surname, first name, address of the practice Professional activity Phone number Mail address) We need this data for identification, to check the requirements for the use of our service, to contact, billing.

 

Data on license to practice medicine and recognition as a medical specialist

We need this data to check if the requirements for using our services are met.

 

E-mail address :

we need this data to contact the physician after successful registration, to query the further data for checking the prerequisites and to complete the registration.

 

Curriculum vitae of the doctor and therapist:

The legal basis for the processing of this data is the fulfillment of the user contract according to Art. 6 para. 1 lit. b GDPR. Without this data, it is not possible to use our service. We delete this data as soon as the purpose is fulfilled (e.g. when the doctor or therapist deletes their account) and no legal retention periods conflict with this.

 

Online consultation:

If the patient requests a doctor’s consultation, they first describe their medical concerns via the Leviomed app). All information is stored in Leviomed’s central online patient file.

Patient and doctor get in touch for a medical consultation. All documents arising in connection with this consultation are stored in the Leviomed online patient file.

The processing of the data is necessary for the fulfillment of the concluded user contract. The legal basis for this is Art. 6 para. 1 lit. b GDPR and Art. 9 para. 2 lit. a GDPR.

 

Online patient file

We maintain a central online patient file in which all data relevant to the medical consultation and billing can be stored, The patient file contains, among other things:

  • Personal details/master data from registration
  • Treatment data of the physician (medical case documentation)
  • other data entered by the physician (e.g. diagnoses, electronic prescriptions, referrals from specialists )
  • data provided by the patient (e.g. health values, photos, videos, documents)
  • Billing information (attending physician, duration and time of video consultation)

 

The patient’s data is stored until the user deletes his or her profile and thus the purpose of storage ceases to apply.

In addition, the patient has the option to voluntarily provide additional information in the online patient record, such as height, blood pressure, heart rate, food and/or drug intolerances, chronic diseases, allergies or diseases in the family.

 

Patient Payment Stripe.

If you choose a payment method offered through the payment service provider “Stripe”, payment processing will be done through Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. The integration of Stripe offers patients an easy way to use a credit card as a means of payment. Stripe receives transaction data for this purpose (cardholder name, email address, card information, expiration date, CVC code, date, time and amount of transaction), but at no time health-related data. The data will be passed on exclusively for the purpose of payment processing in accordance with Art. 6 para. 1 lit. b) GDPR.

It is pointed out that when using Stripe, the user’s data may be processed outside the territory of the European Union. This may result in risks for the user, as, for example, the enforcement of user rights may be more difficult. Further information on data protection at “Stripe” can be found at the Internet address: https://stripe.com/de/privacy.

 

Cookies

The data processing described in the following sections is carried out in part with the aid of cookies. Only the operator of the web server that originally set the cookie can access the information stored in a cookie via the Internet. Access by third parties is not possible in this way. Cookies have different expiration times. Some cookies are only active during a browser session and are deleted afterwards, others function for a longer period, but usually less than a year. After the expiration of the functional period, a cookie is deleted from the browser. You can manage cookies via the functions of your browser (usually under “Options” or “Settings”). Thus, the storage of cookies can be disabled, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.

 

System permissions for mobile apps (patients)

If the patient uses our mobile app applications, they require certain system permissions on the respective end device, which we use for the following purposes:

Android/Google operating systems.

  • Telephone: handling incoming and outgoing calls to the Leviomed GmbH hotline
  • Photos/media/files: saving and uploading data to the online patient file
  • Camera: Capturing images for exchange with the doctor Providing video chat
  • Microphone: Enable audio/video chat
  • Internet/network connection: communication with our server, provision of chat functions
  • Disable display lock: Prevent sleep mode during audio/video chat

iOS/Apple operating systems (Patient.)

 

  • Enables audio/video chat. The microphone is only accessed and permission requested when you use this feature.
  • Camera: capture images to share with the doctor. Provide video chat
  • Photos: saving and uploading data to the patient record.
  • Permissions are only requested and used when the respective function is used.

 

Google Analytics (kritisch: in einigen EU-Ländern bereits verboten, so auch vor kurzem das LG Köln) Empfehlung Nutzung von Matomo

Leviomed uses the “Google Analytics” and “Universal Analytics” service from Google to record in pseudonymized form how users use our platform, to create anonymized evaluations and to design our platform accordingly in line with requirements.

 

With Google Analytics, we record when the user calls up which pages of our website, the approximate location as well as data about the end device used (e.g. device type, operating system or screen resolution). This data is processed pseudonymously, i.e. the data is not linked to directly identifying information of the user (e.g. name, email address).

 

On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage.

 

Leviomed also use Universal Analytics. This allows us to obtain information about the use of our platform & app on different devices, i.e. across devices (e.g. aggregate usage on smartphone and laptop). We use a pseudonymous user ID by means of cookie technology, which does not contain any personal data and does not transmit this to Google.

The data collected as part of Google Analytics and Universal Analytics are deleted after 14 months.

The processing of the data is based on your consent pursuant to Art. 6 (1a) GDPR.

 

Privacy information: https://policies.google.com/privacy

 

Use of social media plugins from Facebook

 

All users have the option of clicking on the icons for the social networks Facebook, LinkedIn, Instagram and YouTube on the Leviomed website or platform.

On our website, LevioMed uses the remarketing function “Custom Audiences” of Facebook Inc. of the service provider Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; “Facebook”).The data processing is based on your consent pursuant to Art. 6 (1a) GDPR.

Privacy information: www.facebook.com/about/privacy

Hier bitte noch Links zu den Erklätungen con Linkedin, instagram und youtube einfügen

 

 

 

Agora to improve communication between doctor and patient

 

For communication between doctor and patient via video or audio telephony, Leviomed uses the services of Agora 2804 Mission College Blvd.

Santa Clara, CA, USA 95054 The current privacy information of Agora as well as further information is available on the website https://www.agora.io/en/compliance/. Processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR and Art. 9 para. 2 lit. h GDPR for the purpose of carrying out the treatment between the patient and the doctor. The data will only be further processed as long as it is necessary for the aforementioned purposes. Agora works as a processor for us. As part of the processing by Agora, data may be transferred to the USA.

 

Automated decision making or profiling

There is no automated decision making or profiling.

 

Notifications on mobile devices (push notifications)

We send push notifications to the user’s terminal device running the iOS or Android operating system. Push notifications are notifications that are displayed on the end device even if our app is not being used.

We use push notifications to inform the user about medical appointments or updates on treatments received. The messages do not contain health data.

To deliver the push notifications, we need to transmit the content of the notifications to a technical service of the operating system provider.

The legal basis for the processing, including the integration of Apple and Google, is accordingly the performance of the contract according to Art. 6 para. 1 lit. b GDPR.

 

Amazon Web Services (AWS)

We host our website, Leviomed & App and other company data at Amazon Web Services EMEA SARL,(EU-CENTRAL-1) Kleyerstrasse 88-90. Frankfurt am Main 60326, Germany hereinafter referred to as AWS). When you visit our website or use our services, your personal data is processed on the servers of AWS. The use of AWS is based on Art. 6 para. 1 lit. f GDPR.

The servers we use are operated by AWS within the European Union in Frankfurt/Paris. However, we cannot exclude that in individual cases personal data will be transferred from AWS Luxembourg to the parent company in the USA. The data transfer to the USA is based on the EU standard contractual clauses. Details can be found here:

Privacy Information: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.Weitere Information can be found in the AWS privacy policy: https://aws.amazon.com/de/privacy/?nc1=f_pr.

 

 

Data transfer to third countries

Some of the aforementioned service providers transfer personal data to third countries such as the USA. In the case of data transfers to the USA, there is a risk that this data may be processed by US authorities for control and monitoring purposes without you having any legal protection options, if applicable. In its ruling of 16.07.2020 (AZ: C-311/18), the ECJ determined that the EU-US Privacy Shield agreement is invalid as a possible basis for data transfers to the USA. In order to continue to ensure the level of data protection,

 

Rights of data subjects

the right to object, Art. 21 GDPR

As a data subject, you have the right to object to the processing of your personal data pursuant to Article 21 of the GDPR. In individual cases, exercising your right to object may result in you no longer being able to use the services we offer. You can exercise your right of objection by post or by e-mail. We will then check whether we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or whether processing is necessary for the assertion, exercise or defense of legal claims.

If we process your personal data for direct marketing purposes, you may object at any time. We will then no longer use your personal data for this purpose.

 

RIGHT OF ACCESS, Art. 15 GDPR

The user has the right to request confirmation from us as to whether we are processing personal data concerning him or her; if this is the case, he or she has a right to information about this personal data and to the information listed in detail in Art. 15 GDPR.

Right to rectification, Art. 16 GDPR

The user has the right to request from us without undue delay the rectification of any inaccurate personal data concerning him or her and, where applicable, the completion of any incomplete personal data, Art. 16 GDPR.

Right Erasure (“right to be forgotten”) Art. 17 GDPR

The user has the right to request that we delete personal data concerning him or her without undue delay, provided that one of the reasons set out in Art. 17 GDPR. Furthermore, you have the right to request the deletion or restriction of the processing of your data. If parts of the data are subject to a legal or official obligation to retain data, blocking shall take the place of deletion in the case of data subject to the obligation to retain data. You may furthermore have a right to the return of the data you have provided in a structured, common and machine-readable format. You can assert your rights by post or by e-mail

Right to data portability, Art. 20 GDPR

The user has the right, under certain conditions, to receive data concerning you that you have provided to us in a structured, common and machine-readable format, to transmit it and – if technically feasible – to have it transmitted. The user is only entitled to this right if we process personal data on the basis of his consent in accordance with Art. 6

Paragraph 1a GDPR or use an automated procedure for processing.

Right to withdraw consent, Art. 7 para. 3 GDPR

If the user has given us consent under data protection law in accordance with Art. 6 para. 1 lit. a GDPR, he has the right to revoke this at any time with effect for the future (by post or e-mail)… This also applies to consent under data protection law that was given to us before the GDPR came into force. The data processing carried out until the revocation remains lawful.

 

Complaint, Art. 77 GDPR

The user has the right to lodge a complaint with a supervisory authority, irrespective of other administrative or judicial remedies.

Federal State Commissioner for Data Protection and freedom of Information Baden-Württemberg

Lautenschlagerstrasse 20
70173 Stuttgart

https://www.baden-wuerttemberg.datenschutz.de/