Privacy Notice

1. Introduction

For us at Kry, you as an individual and as a patient always come first and this privacy notice (the “Privacy Notice”) explains how we handle your personal data when you sign up to and use our app and when you seek services from us related to technically and administratively enabling remote medical consultations provided by physicians you may book via our App (the “Services”).

This Privacy Notice describes who is responsible (data controller) for the processing of personal data about you. It also describes how we process your personal data, our legal basis for doing so as well as your rights in relation to the processing of your personal data, how to exercise them and how to get in touch with us if you have any questions about our data protection practices.

It’s important to note that Kry does not itself provide healthcare services. All consultations, including medical advice, recommendations and treatment plans you receive via our app (“Tele-Consultation Services”) are provided by independent third party healthcare professionals that are not controlled or affiliated with Kry (“partner doctors”). These partner doctors are responsible for all processing of personal data in the context of providing you with Tele-Consultation Services. You will be provided with information about their privacy practices in connection with a consultation with a partner doctor.

2. Who is responsible for the processing of your personal data?

DMS Digital Medical Supply Germany GmbH, Registrierungsnummer HRB 192856, Julie-Wolfthorn-Straße 1, 10115 Berlin (“Kry”), which makes available the ”Kry” technical platform and application in Germany (the “App”) is the data controller for the processing of the personal data taking place as part of providing you with the App and our Services.

As further described above, the Tele-Consultation Services are not provided to you by Kry or other companies of the Kry group. Instead, Kry provides the App and the Services which allows you to connect with the partner doctors. The partner doctors are responsible for providing the Tele-Consultation Services, and act as independent data controllers for all processing of personal data that they carry out in the context of providing you with Tele-Consultation Services. The identity and contact details of the partner doctors will be communicated to you in connection with the commencement of a consultation.

In relation to the Tele-Consultation Services, Kry acts, in capacity as data processor, only as a supplier of the technical platform and the related service. This means that your personal data is only processed by Kry according to the instructions of the partner doctors.
Contacts
If you have any questions, comments or complaints regarding the processing of your personal data in connection with your use of the Services, you are always welcome to contact us using the contact details set forth above, by sending an email to service@kry.de or by reaching out to our data protection officer on datenschutz@kry.de.

3. Which personal data do we collect?

The section describes the categories of personal data about you which are collected and processed in connection with the App and the Services. You are not required to provide the personal data. However, if you do not provide your personal data, we may not be able to provide the App and the Services to you or, as the case may be, the provision of the App and the Services may be delayed.

3.1. User Data
Kry processes the following personal data about you, which collectively are referred to as User Data;
Registration Data: personal data which you register via your account, including your name, gender, address, email address, phone number and insurance type;
Identification Data: for identity purposes, Kry may request additional information, including your picture and relevant documents evidencing your identity.
Usage Data: technical information generated by your use of the services. This includes IP address, login information, type and version of operating system and unit, connection type, time settings, language settings, device type and version, and application logs.

3.2. Health Data
When you seek remote consultations with a partner doctor via our App, you are asked to share data linked to your physical and/or mental health so that we can schedule a consultation for you with a partner doctor. You do this primarily by filling in the relevant symptoms form in the App or by submitting data via your health profile. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or medical condition. We will also collect data about consultations with partner doctors, including date and time of meetings, type and length of meeting, waiting time, outcome of meeting (e.g. prescription, referral, sick note), price category of meeting, if the meeting was with you or your child and diagnosis code. We will also collect data about prescriptions you receive for the purpose of helping you to get them redeemed and delivered. Occasionally, and only with your consent, we may also get access to your medical records for regulatory and quality control purposes. Personal data, which is described above in this section, is referred to as “Health Data” below.

4. For which purposes and on which legal basis is your personal data processed?

4.1. Providing you with our Services
In connection with the provision of the Services Kry process your User Data for the following specific purposes:
(i) to allow you to register, provide you with authorization to login and use your user account;
(ii) to verify your identity and age;
(iii) to operate and maintain the App and the related technical platform, including features such as (video call and consultation systems, booking systems, and administrative systems) which are necessary for your consultations with physicians, including to inform partner doctors about who you are and your symptoms prior to a consultation ;
(iv) to allow you to pay for the Service, and to handle settlement and assertion of the claims incurred in connection with the Tele-Consultation Services provided by the partner doctors;
(v) to administer your prescriptions, including to submit such data to the pharmacy of your choice;
(vi) to maintain your profile and to handle your choice of settings;
(vii) for quality control purposes (including ensuring acceptable levels of healthcare services by partner doctors, and investigation of queries, requests and complaints);
(viii) to otherwise be able to provide the Services to you according to our General Terms and Conditions.

The legal basis for all purposes described in (i) to (vii) above is to perform the contract with you as described in our General Terms and Conditions (based on Art. 6 (1) (b) GDPR) and to pursue our legitimate interests (based on Art. 6 (1) (f) GDPR). To the extent your Health Data is processed for the purposes described in purpose (iii) to (viii) such processing is based your explicit consent (according to Art. 9 (2) (a) GDPR).

4.2 To market products and services and improve your user experience
With your consent, Kry will process certain User Data for the purpose of providing you with news, updates and promotional content via email and other electronic communications channels, such as in-app and push notifications. Such communications will be based on what we know about you as a user, including which features you tend to use, and which prior communications you have showed an interest in, as well as basic demographic and geographic data about you, including your age, gender, the region in which you reside and whether you are using the Service for yourself or for your children. However, no health data will be used for such communication. With your consent, we may also send you health related communication such as health recommendations, tips and relevant health information customized for you.

You may opt out of receiving marketing-related communications from us at any time by updating your preferences in your account settings or using unsubscribe links provided in the footer of all emails.

4.3. To perform legal obligations, to defend against claims and to respond to legal process
Kry may also process your personal data to the extent necessary to fulfil its legal obligations under applicable law (according to Art. 6 (1) (c) GDPR), for example under accounting and bookkeeping law as well as when we have a legitimate interest to defend against claims or to otherwise respond to legal process as set forth in Art. 6 (1) (f) of the GDPR (and where Health Data is involved, according to Art 9 (2) (f) of the GDPR)

4.4. To be able to evaluate, develop and improve the quality of our Services
Kry may process your personal data for the purpose of developing and improving the App, the Services and the systems used to provide the App and the Services. We will for example use your personal data to make the App more user-friendly and to simplify the user journey by personalising the experience based on your data and needs. We will also use your personal data to introduce or to improve functions, which we deem relevant to our users or as part of quality improvement projects aiming to facilitate and improve the Tele-Consultation Services provided by the partner doctors. Our legal basis to process your personal data for the purposes described above is our legitimate interest to developing and making improvements to the Services (Art 6 (1) (f) of the GDPR. In the event Health Data would be involved, we would only carry out such processing with your consent (Art 9 (2) (a) of the GDPR).

With your consent, Kry may also anonymize or aggregate your personal data for processing in anonymous form, for example to develop new features for our App, to customise our Services, optimise our user journey and improve our users’ experience of the App more generally.

4.5 To find out whether users found us via ads on websites of our ad partners and to remunerate our ad partners
When you click on one of our ads on the website of our advertising partner, you are redirected to our website and then further redirected to an app store. On our website, we create a log file with
an irreversibly hashed version of your IP address and information on your device (e.g. “Macintosh; Intel Mac OS X 10_14_6”),
the timestamp of your request and
the name of the advertising campaign.

When you register for an account in our app, we will also create an irreversibly hashed version of your IP address and information on your device (e.g. “Macintosh; Intel Mac OS X 10_14_6”).

We match the hash values in both of these log files in order to identify how many users registered for an account in our app after having clicked one of our ads on the website of our advertising partner.

We store the hashes for one week after the creation of the hash. We do not combine this data with any other data, particularly not with your account data, your name or your health data.

We use the outcome of this matching solely for the purposes of (1) understanding how many users registered an account for our app based on a specific marketing campaign and to (2) remunerating our ad partner, which is remunerated based on the number of successful registrations upon a click on our ad on its website.

Our legal basis to process your personal data for the purposes described above is our legitimate interest to (1) understand how many users registered an account for our app based on a specific marketing campaign and to (2) remunerate our advertising partners as per our agreement with them (Art 6 (1) (f) of the GDPR).

5. How long do we keep your personal data?

We only process your personal data as long as is necessary for the purposes for which the information in question is processed according to section 4 above. This means we keep it as long as it is necessary to provide you with the Services, to fulfil our respective legal obligations, defend against claims etc. as further described above.

This means that Usage Data (as defined in Section 3.1. above) usually is stored for 2 years. Other personal data is generally erased or anonymised not later than one (1) month from the time at which you close your user account with us, provided it is not necessary to save the data to fulfil legal obligations (in particular to comply with records retention obligations, which inter alia require to retain certain business communications or documents relevant for taxation up to ten years), in addition, if a judicial or disciplinary action is initiated, your personal data will be stored until the end of such action, including any potential periods for appeal, and will then be deleted or archived as permitted by applicable law..
Where your data is processed by us on the basis of your consent, we will delete or anonymise your data if you withdraw your consent (unless there is a legal requirement, e.g. on the basis of statutory retention obligations, or legal permission to keep such data for a longer period of time).

6. Third parties with whom your personal data may be shared

6.1. Service Providers of Kry
In order for us to be able to offer you the Services, Kry uses other companies of the KRY group or external service providers providing services in the fields of hosting and technical infrastructure (servers, databases, remote computing power) and marketing and payment platforms. In particular, the Kry engages its parent company Kry International AB (a company established in Sweden) for the IT services in connection with the provision of the Kry App and related platform. These service providers process personal data in capacity of data processors on behalf of Kry for the sole purpose of providing the services requested by Kry, and only according to Kry’s instructions.

6.2. Insurance companies
If you have been referred to us by your insurer or have an insurer with which Kry cooperates, we may disclose information to your insurer that you have used the Services as well as the outcome of health consultations and other details about your health condition, however, only based on your separate consent which will be sought from you in connection with using our Services via your insurer. This Privacy Notice does not apply to the processing of personal data which is carried out by your insurer. For more information about how your insurer processes your personal data, please contact your insurer.

7. Do international data transfers out of the EEA take place?

Your health-related personal data (i.e. Symptoms Data and Consultation Data) is always stored within the European Economic Area ("EEA") and will in no case will be internationally transferred to recipients located outside the EEA.

Other personal data is primarily stored within the EU. However, some of the recipients of your personal data will be located or have relevant operations outside of your country and the EEA, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and with regard to which an adequacy decision by the European Commission does not exist. Kry will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law.

Recipients located outside of the EEA are located in the US. These companies are certified under the EU-U.S. Privacy Shield and, in each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective. The recipients are also bound by data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC) as referred to in Art. 46 (5) GDPR, which are accessible upon request (please reach out to datenschutz@kry.de). Kry has established that all such recipients will provide an adequate level of protection for the personal data and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer is subject to appropriate onward transfer requirements as required by applicable law.

8. Your rights as a data subject in the App and user of the Services

You have a number of rights related to personal data we have about you which depending on the requirements and limitations set out in applicable data protection you may exercise.
You may at any time contact us in order to:
request access to, and information about, the personal data which is being processed in conjunction with your use of the App and/or the Services. You have the right to obtain a copy of the Personal Data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on administrative costs;
ask us to correct any incorrect information about you;
request that your personal data be erased;
ask us to restrict the processing of your personal data where you believe (a) such data to be inaccurate, (b) our processing is unlawful, or (c) we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it;
object to the processing of your personal data where the legal justification for our processing of your personal data is our legitimate interest. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim. In addition, a right to object may not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded;

if we use your personal data on the basis of your consent, exercise your right to withdraw your consent at any time, free of charge. This includes where you wish to opt out of marketing messages. However, note that if you withdraw your consent with respect to use of Health Data for any of the purposes described under Section 4.1. above, Kry will be unable to further provide the App or Services to you; or
request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right of data portability).

Should you wish to contact us regarding any of the rights above, we encourage you to contact us via our website, or by sending an email to datenschutz@kry.de. As described above, partner doctors are independent data controllers for any processing of your personal data taking place as part of providing you with the Tele-Consultation Services. Therefore, please contact the relevant partner doctor if you have a request or if you wish to exercise any of your rights in respect of the Tele-Consultation Services.

9. Right to file a complaint with the Data Protection Authority

With this Privacy Notice we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us via the contact details provided in Section 8 above. We would also like to inform you that, should you believe that the processing of your personal data is incorrect or does not comply with legal requirements, you have the right to file a complaint with a Data Protection Authority, in particular (a) the competent Data Protection Authority of your place of residence, or (b) our competent Data Protection Authority, which is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

Issue Date: 25 November 2019