Status as of 27.09.2022
1. Responsible person in the sense of the DS-GVO
Endo Health GmbH
Commercial register: HRB 33447
Register court: Local court Chemnitz
Dr. med. Nadine Rohloff
Telephone: 0371 335603 00
E-mail: [email protected]
Support for the Endo-App:
Phone: 0371 335603 01
E-mail: [email protected]
2. Data protection officer of Endo Health GmbH
Endo Health GmbH has appointed a certified data protection officer.
Name: Markus Rothenhöfer
E-mail: [email protected]
You can check the qualifications of our data protection officer here (external links):
Certified Information Systems Auditor (CISA): Check CISA certificate.
Certified Information Security Manager (CISM): Check CISM certificate
3. Download the Endo-App via Google Play Store or Apple App-Store
When downloading the app, the necessary information is transferred to the App Store or Google Play Store.
These are in particular the user name, email address and customer number of your account, time of download, unique number of the end device (IMEI), the mobile phone number (MSISDN), the MAC address for WLAN use and the unique number of the network subscriber (IMSI).
We have no influence on this data collection and are not responsible for it. This data is not processed or stored by us.
Please check the data protection information of Apple (external link) and Google (external link).
4. Automatic data transfer from your smartphone
While using the Endo app, we automatically process certain information from you to ensure the use of the app.
This includes for example:
- IP address
- Date and time of the request
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Content from which the request comes
- Operating system and its interface
- Version of the Endo-App
This data is automatically transmitted to us in order to provide you with the service and related functions. This data processing is based on the legal basis that, in relation to the purpose of using the app, the processing is necessary for the performance of a contract or quasi-contract between you and us pursuant to Art. 6 para. 1 lit. b) DS-GVO.
Insofar as we use this information to prevent misuse, we have a legitimate interest in ensuring the functionality and error-free operation of the app and in being able to offer a service that is in line with the market and interests (Art. 6 para. 1 lit. f) DS-GVO). 5.
5. Data provided by you for the registration and use of the Endo-App
For the registration and use of the app and to enable the functions of the app listed below, we collect the following personal data from you:
- First name or pseudonym
- E-mail address
First name or pseudonym is used to address you in the Endo app. You do not have to provide your real first name. The first name is not used for identity verification and is irrelevant to the functioning of the app. The first name is only used for a more pleasant user experience, as it allows you to be addressed more personally in the dialogues in the app.
Your email address is necessary to keep your account secure. For example, we use your email address as part of the forgotten password function. If you enter an incorrect or invalid e-mail address, the forgotten password function can no longer be used. As a matter of principle, we do not send any advertising to your e-mail address and do not pass on the data to third parties.
Your password is set by you and stored on our servers with a hash function so that we can check your identity when you log in. „Hash function“ means that your original password cannot be recovered from the hash value of your password. This ensures that no one can read your password. Here you can read about how one-way encryption (hashing) works: Hashing at Wikipedia (external link).
If you are logged in to the Endo app, you can change your password at any time. If you have forgotten your password, you can use the forgotten password function when logging in. A code will be sent to your email address to verify your identity. You can then set a new password.
If you have forgotten your password and your e-mail address is invalid (for example, you no longer have access to the e-mail address), it is not possible for us to reset your password. In this case, you will need to create a new account with a valid email address.
To ensure the ease of use and security of the Endo app, usage data is also processed. For example, we store which sections of the learning modules you have already completed. This usage data is necessary for the proper functioning of the Endo app.
The legal basis for the aforementioned data processing is Article 6 (1) (b) DS-GVO (contract performance).
6. Processing of your health data for the use of the Endo-App
The digital health application Endo-App supports endometriosis sufferers by providing evidence-based and guideline-compliant content, methods and exercises of multimodal pain therapy and endometriosis therapy (hereinafter „support for endometriosis sufferers)“. The Endo app includes a comprehensive endometriosis symptom diary. The diary allows you to document symptoms, influencing factors, activities and important events related to your endometriosis.
In the process, so-called health data are processed. Health data belongs to the so-called special personal data, i.e. particularly sensitive data. These data allow conclusions to be drawn about your past, present and future state of health. In accordance with Art. 9 Para. 1, 2 lit. a) DS-GVO, your health data will be processed exclusively on the legal basis of your express and voluntary consent.
Your health data will be processed for the purpose of supporting endometriosis sufferers through the digital health application Endo-App as described above, i.e. for the intended use of the digital health application Endo-App and, if applicable, for the proof of positive care effects within the scope of a trial pursuant to Section 139e (4) of the German Social Code, Book V (SGB V) and, if applicable, for the proof of agreements pursuant to Section 134 (1) sentence 3 of the German Social Code, Book V (SGB V).
Health data is only stored and processed when you enter it in the Endo app. The Endo app does not read data from third parties (such as Apple Health).
Your health data is stored on secure servers of Endo Health GmbH exclusively in Germany. The health data is only transmitted and stored in encrypted form.
7. Other cases of data processing
- Billing to the health insurance company in accordance with § 302 SGB V:
As the Endo app is paid for by the statutory health insurance funds, we are obliged to transmit corresponding billing data to them. The activation code, which you receive from your health insurance company and then enter into the app, is essential for billing. This processing is carried out in accordance with the provisions of § 302 SGB V. No health data will be transmitted to the health insurance companies. The legal basis for this data processing is Art. 6 bs. 1 lit. c) DS-GVO.
After your health insurance company has sent you an activation code, you can use this activation code to activate the use of the Endo app as a digital health application. For this purpose, the Endo app requests the following access rights exclusively for the following purpose:
Photo camera: for reading the activation code (barcode).
If you refuse this, access to the photo camera or media will be disabled for the Endo app and you will not be able to use the corresponding functions of the Endo app as a digital health application. You can grant or revoke permission later in the settings.
- Fulfilment of obligations under medical device law according to MDR or MDD/MPG:
As the Endo app is a certified medical device, it complies with the relevant legal requirements for medical devices. Under certain circumstances, it may be necessary for us to process your data for this purpose. For example, if we report a risk to the supervisory authorities for the protection of our users. The legal basis for this data processing is Art. 6 para. 1 lit. c) DS-GVO and, insofar as health data is processed, Art. 9 para. 2 lit. i) DS-GVO.
- Anonymised data analysis to improve the app and support endometriosis research
If you give your consent, the Endo app may use anonymised user data for continuous improvement and research. Data analysis can enable us to better identify relationships between symptoms, events and activities. It is a small but significant step towards better understanding endometriosis. We plan to publish the results of this anonymised analysis. In this publication, individual participants and their personal data will not be identifiable. The publishers of publications will have random samples of the research data sent to them in anonymised form. This is to check the credibility of the publication. After verification, the data is destroyed. From the moment of anonymisation, it is no longer personal data, i.e. you and your data are no longer identifiable. Your consent is required for anonymisation as such and for us to use your anonymised data as described above. Consent is not required to use the Endo app. If you give your consent, you can revoke it at any time, e.g. under the „Settings“ or via the contact details mentioned at the beginning.
8. Who receives my data?
Commissioned data processing
If we use a service provider in terms of commissioned processing, we still remain responsible for the protection of your data. All commissioned processors are contractually obliged to treat your data confidentially and to process it only in the context of providing the service. The processors commissioned by us receive the data insofar as they require the data for the fulfilment of their respective service. Processors are, for example, IT service providers that we need for the operation and security of our IT system.
Currently, the data is processed in encrypted form in a data centre operated by Telekom Deutschland GmbH (Am Schiens 1, 39221 Bördeland). The registered office of Telekom Deutschland GmbH is Landgrabenweg 151, 53227 Bonn. Detailed information on ensuring compliance with DS-GVO can be found here: https://open-telekom-cloud.com/de/sicherheit/datenschutz-compliance (external link).
Your activation code will be processed by Noventi HealthCare GmbH (Einsteinring 41-43, 85609 Aschheim near Munich) in order to bill your health insurance company for the use of the digital health application Endo-App.
No transfer of data to third parties (responsible parties)
Your data will not be passed on to third parties or processed for purposes other than the use of the app.
9. No transfer of your data to a third country (outside the EU)
We do not transfer any data to a third country, i.e. to recipients outside the European Union. Our servers are operated in a data centre (Am Schiens 1, 39221 Bördeland) Germany. Your personal data is processed exclusively in Germany and thus within the European Union.
10. Storage period and deletion concept
We will store your data, if you have consented to the processing, at most until you revoke your consent or until your registration in the Endo app or the use of the Endo app as a whole ends or you delete your user account and uninstall the Endo app. If you withdraw your consent or your registration in the Endo app or the use of the Endo app as a whole ends or you delete your user account and uninstall the Endo app, we will delete your personal data immediately. You can export your data at any time before it is deleted.
We store your data if we need the data to perform a contract, at most for as long as the contractual relationship with you exists, i.e. until your registration in the Endo app or the use of the Endo app as a whole ends or you delete your user account and uninstall the Endo app. If your registration in the Endo app or your use of the Endo app as a whole ends or you delete your user account and uninstall the Endo app, we will delete your personal data immediately. You can export your data at any time before deletion.
The following applies to both of the above points: The application is basically designed for repeated prescriptions by your doctor. In order to enable seamless further use of the Endo app, we will remind you 15 days before the end of the maximum prescription period of 90 days that a new prescription by your doctor is required for seamless further use of the Endo app. If you do not enter a new activation code for a further 90 days of use by the end of the maximum prescription period of 90 days, the contractual relationship ends and we delete your personal data immediately. You can export your data at any time before deletion.
We process the personal data collected on the basis of legal obligations pursuant to Art. 6 (1) lit. c) DSGVO within the legally stipulated periods. We have to process the data required by legal requirements (typically invoice data and details of the service provided) for the purposes of accounting and compliance with legal retention obligations. The storage period for documents relevant to VAT payments is 10 years after the end of the accounting year in which the service was rendered. At the end of the aforementioned legally prescribed retention period, we will immediately delete your personal data. You can export your data at any time before deletion.
You have the option of deleting your personal data directly in the Endo app. Upon deletion, all stored data will be irrevocably deleted. A deleted user account cannot be restored.
After the expiry of your prescription, your user account will be deleted automatically and immediately.
If your user account is inactive, it will also be deleted if you do not respond to our e-mail with the relevant information about the impending deletion due to inactivity. You can export your data at any time before your user account is deleted.
You have the possibility to revoke your consent at any time. You can revoke your consent within the Endo app, for example, by calling up the „More“ menu in the navigation. Then select the menu item „Data protection declaration“ and press the button „Revoke data protection consent“. You will be asked to confirm the revocation. After confirmation, your account and all your data will be irrevocably deleted immediately. You can also revoke your consent by contacting us via the data mentioned in point 1.
The aforementioned points serve your right to have your personal data deleted (right to erasure or right to be forgotten). Alternatively, you can request the restriction of the processing of your personal data (right to restriction of processing). We will inform you about your rights in full and separately in section 13.
If your personal data has been deleted or processing has been restricted, we will inform all recipients to whom your personal data has been disclosed, unless this proves impossible or involves a disproportionate effort. In that case, we will inform you about these recipients if you so request.
11. Security at the Endo-App
We have taken technical and organisational measures to protect your personal data against loss, destruction, manipulation and unauthorised access.
All our employees and service providers working for us are obliged to comply with the applicable legal regulations on data protection. All transmissions are exclusively encrypted. This means that your data cannot be misused by third parties. Data is only stored in encrypted form.
12. No profiling and no automated decision making
No automated decision-making or profiling takes place.
13. What data subject rights do I have?
You have the right to information, to correction, to deletion or to restriction of the processing of your stored data at any time, a right to object to the processing as well as a right to data portability and to lodge a complaint in accordance with the requirements of data protection law.
Right to information Art. 15 DSGVO:
You can request information from us as to whether and to what extent we process your data.
To exercise this right, you can export and check the stored data directly in the app.
Right to rectification according to Art. 16 of the GDPR:
If we process your data that is incomplete or incorrect, you can request that we correct it at any time.
You have the option of correcting your user data directly in the app.
Right to deletion according to Art. 17 DSGVO:
You can request that we delete your data.
To do this, you can carry out the deletion in the Endo app in the menu item „More“ under „Account“.
Right to restriction of processing according to Art. 18 DSGVO:
You can request us to restrict the processing of your data if
- you dispute the accuracy of the data for a period of time that allows us to verify the accuracy of the data.
- the processing of the data is unlawful, but you refuse erasure and instead request restriction of the use of the data,
- we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
- you have objected to the processing of the data.
Right to data portability according to Art. 20 DSGVO:
You can request that we provide you with the data you have provided to us in a structured, common and machine-readable format.
For this purpose, you will find an export function in open XML format in the Endo app under „Settings“.
Right to object:
As long as we process your data, you can object to this data processing at any time. We will then no longer process your data.
Right of complaint:
If you are of the opinion that we violate German or European data protection law when processing your data, please contact us to clarify the situation. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.
If you wish to assert one of the aforementioned rights (information, correction, deletion or restriction) against us, please contact our data protection officer (see above).
Compliance with a special form is not necessary for the assertion of your aforementioned data subject rights. For example, write an email to [email protected] or use one of the other contact options via the data mentioned in point 1 above.
14. Am I obliged to provide data?
The processing of your data is necessary for the use of the Endo app. However, you are not obliged to provide data. If you do not provide all data, this may result in limited functionality of the Endo-App.
15. Using the digital health app in a potentially unsafe environment
Please note that it is up to you to decide in which environment you use the Endo digital app.
There may be security risks when using the Endo app in unsafe environments.
Examples of unsafe environments are: Using untrusted, unencrypted connections such as in coffee shops; using public or shared smartphones such as a family mobile phone; unattended mobile phones in public places; mobile phones with security risks such as viruses.
We cannot protect you from these security risks as they are beyond our control.
We recommend that you only use the Endo app on your private mobile device and that you protect it adequately from unauthorised access by third parties.