Privacy Policy
Last updated 5th of June, 2024
Information on the collection of personal data
We provide you with a mobile app “HealChain” (hereinafter “HealChain App”) that you can download to your mobile device. In this Privacy Policy we provide information about how we collect and store personal data of users of the HealChain App (hereinafter “User” or “you”).
Personal data means any data that are connected to you and can be used to identify who you are including your name, address, email addresses, information you enter within the HealChain App, including sensitive personal data, HealChain App use behavior etc.
The person responsible for compliance in accordance with Art. 4 (7) of the Regulation (EU) 2016/679, General Data Protection Regulation (hereinafter “GDPR”), i.e. the data controller is HealChain GmbH, Frankfurter Str. 27, 65760 Eschborn, Germany
001@healchain.com(see our imprint: www.HealChain.app/impressum) (hereinafter “HealChain GmbH”).The company data protection officer can be contacted at the above address, at data protection department, or 001@healchain.com.
When you contact us via email or a contact form, we will store your email address and, if you have provided it, your name and telephone number to answer your questions. We delete this after storage is no longer required or - in the case of legal storage obligations - restrict processing.
Processing of Personal Data when downloading and using HealChain APP
When downloading the HealChain App, the required information is transferred to the App Store or Google Play store, in particular User name, email address, time of download and the individual device ID number and is processed pursuant to Apple's privacy policy or Play store privacy policy, linked here: https://www.apple.com/legal/privacy/en-ww/ and https://policies.google.com/privacy?hl=en-US. We have no influence on this data collection and are not responsible for it.
When using HealChain, we collect the following log file data:
IP address, also in the API logs
Date and time of the request
Content of the request (concrete page, concrete API endpoint)
Access Status/HTTP Status Code
Amount of data transferred in each case
End device from which the request comes
User Agent
Operating system and its interface
Language and version of the User Agent.
HealChain App version.
This data is required by us from a technical point of view in order to offer the various functions of HealChain App as well as to ensure the stability and security of HealChain App and to enable comfortable use of the HealChain App functions. This processing purpose also represents a legitimate interest which, according to Art. 6 (1)(f) of the GDPR, is the legal basis for data processing. IP addresses in log files are deleted after 14 days.
Furthermore, when HealChain App is started for the first time, we assign a unique installation ID for each installation, which is stored on a HealChain App server. It contains no personal data. If you delete HealChain App and then reinstall it, a new installation ID will be generated. This will be assigned so that a connection to the HealChain App server can be established when starting HealChain App on the mobile device to check if the version of HealChain App you are using is still up to date. HealChain App can be updated to implement new features or to ensure data security.
In order to use the HealChain App, you must register with your first and last name, e-mail address, telephone number in order to take advantage of HealChain App services. This creates a contract of use between HealChain GmbH and you and you will receive your own User account. The legal basis for this is Art. 6 (1)(b) of the GDPR, because we use this personal data for the execution of this contract. The data you provide will be transferred to the Google Cloud and stored on a server in Germany. The Google Cloud is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. Under some circumstances, Google may transfer your personal data to the United States where there is no Adequacy Decision of the European Commission and therefore, we implemented additional safeguards to ensure that your personal data are adequately protected, in particular we entered into Standard Contractual Clauses with Google. You may find the standard wording of these Clauses at the webpage of European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-prot ection/standard-contractual-clauses-scc_en or you may write to us using the above contact details for the copy of the applicable Clauses.
Alternatively, you can log in using your Google user account. For this we collect the following personal data:
First and Last Name
E-mail address
The personal data disclosed by you through the subsequent use of HealChain App will be processed by Google, please refer to the Google privacy policy.
You can also log in using your Apple user account ID. For this we collect the following personal data:
First and Last Name
E-mail address
The personal data disclosed by you through the subsequent use of HealChain App will be processed by Apple, please refer to Apple's privacy policy.
In addition to the data processed under other provisions of Privacy Policy, when using the HealChain App, additional personal data may be processed, which may include in particular the following categories of data:
Your identification details (first name, last name, date of birth, insurance number, contact address, email address and telephone number);
your gender and body measurements (height, weight, etc.);
information about your physical activities and lifestyle (nutrition, energy intake, blood type, blood pressure, heart rate, body temperature, BMI, etc.);
information about your health (medical examinations and laboratory tests you have had, consultations with your doctor, medicines you take, operations, illnesses and allergies, whether you may be an organ donor (if any), etc.);
information about your attending physician;
information about you relatives;
The specific scope of the personal data that we will process about you will be determined by you depending on what features of the HealChain App you choose and activate or what activities you will perform on the HealChain App. We will collect, store and process only such of your data that you voluntarily provide to us in connection with the use of the HealChain App, or such data that we obtain with your consent from other persons (in particular doctors, medical institutions or other providers of health or similar services whose services you use).
The information you provide is voluntary and serves the purpose of enabling us to provide you with more accurate information. We may also analyze such information for research and statistical purposes in order to provide you with information that may be of interest to you and to determine if you are eligible to participate in rewards projects.
The processing is based on your consent (Art. 6 (1) (a) and Art. 9 (2) (a) of the GDPR) which is provided by clicking on “Accept and Continue” button within the HealChain App when you enter such information or by your specific separate consent which you explicitly give in the HealChain App for specific purposes (such as access to your medical data from your medical institutions, project participation etc.). You are free to revoke your consent at any time without giving reasons by clicking on “delete all my personal data” within the HealChain App. This does not affect the legality of the processing carried out up to that point.
You can delete your account at any time by clicking the “Delete my personal data” button within HealChain App. The data stored by us will be deleted as soon as the purpose of storage no longer applies and the deletion is not contradicted by any legal storage obligations. By uninstalling the HealChain App, the active processing of your personal data is stopped, however the personal data is not deleted. If you uninstall the HealChain App and/or you are not active in the HealChain App for at least 6 months you will receive a reminder by email. If you are not active for another 6 months you will receive another reminder email and if you remain inactive for further 6 months, your account and your personal data will be permanently deleted (unless we are subject to any statutory retention obligations). If you wish to delete your personal data immediately without being able to restore your profile you can do so by clicking the “Delete all my personal data” button within the HealChain App.
If you keep your information and profile up-to-date, we may invite you (through the HealChain App) to participate in research for example by filing a questionnaire in relation to medicine or nutrition supplement development or development of health / medicine services. You will receive such an invitation within the HealChain App and by email. If you agree to participate, you will receive a contract proposal from us, for which you will have to identify using the online KYC tool (if you did not do so before) in order to satisfy the legal Anti-Money Laundering / Know Your Customer requirements. We process such identification data in order to satisfy legal AML/KYC obligations (Art. 6 (1)(c) of the GDPR) for the time period required by such legislation. Such a contract will also specify more details about the rewards you will receive for participation.
We use Google Analytics and Google Firebase, both services provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, to
analyze the general use of HealChain App, especially app installations/uninstallations, disease questionnaires, activities in the search for treatment and other legitimate purposes, trials, starting a session or forgetting a password (Google Analytics);
collect diagnostic data to ensure technical stability of the HealChain App (Google Firebase);
Your IP address will be processed. We use the anonymization function of Google, whereby the IP address is shortened in the EU/EEA for anonymization purposes and is transmitted in shortened form to Google servers in the USA. We use the anonymized reports on the general use of HealChain App created by Google and transmitted to us in order to continuously improve our service and increase the user-friendliness of HealChain App. This processing purpose also represents a legitimate interest which, according to Art. 6 (1)(f) of the GDPR, is the legal basis for data processing
The data is processed in the USA where there is no Adequacy Decision of the European Commission and therefore, we implemented additional safeguards to ensure that your personal data are adequately protected, in particular we entered into Standard Contractual Clauses. You may find the standard wording of these Clauses at the webpage of European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-prot ection/standard-contractual-clauses-scc_en or you may write to us using the above contact details for the copy of the applicable Clauses.
Data will be deleted when it is no longer necessary for the purpose of collection because the option to collect and further process information on diagnosis and usage behavior in HealChain App has been deactivated.
If you grant us your consent (Art. 6 (1) (a) and Art. 9 (2) (a) of the GDPR) we may send you marketing messages, ads and other promotional campaign materials concerning products and services of HealChain GmbH as well as our partners by sending notifications within the HealChain App. Granting such consent is voluntary and may be revoked at any time within the HealChain App. If you grant such consent, you may receive a reward based on the profit from the marketing campaigns of our partners in the HealChain App, provided that you click on the respective ad, or play the promotional video in full. Upon granting the above-mentioned consent you will receive a contract proposal from us, for which you will have to identify using the online KYC tool (if you did not do so before) in order to satisfy the legal Anti-Money Laundering / Know Your Customer requirements. We process such identification data in order to satisfy legal AML/KYC obligations (Art. 6 (1)(c) of the GDPR) for the time period required by such legislation. Such a contract will also specify more details about the reward program.
Processing of personal data when using the HealChain App Twin feature
A HealChain Twin is a patient in the HealChain App community whose diagnosis is similar to yours (hereinafter “HealChain Twin”). HealChain Twins can use a private chat to share experience. The chat is based on Ethereum blockchain technology. The aim of the feature is to bring patients with the same or similar diagnosis together.
As part of a matching process, you as a User will be matched together with up to 3 other patients, HealChain Twins, who have activated this feature and have a similar profile. In order to find a matching HealChain Twin, the following parameters are compared, which we collect from you to carry out the matching process:
Indication
Sex
Age
Other health data, depending on indication type
Physical Separation
The purpose of this feature is to bring together patients and promote the exchange of experiences and information between patients who have a similar diagnosis. The processing is based on your explicit consent (Art. 6 (1) (a) and Art. 9 (2) (a) of the GDPR) which is provided by clicking on the “Accept and Continue” button upon activation of this feature. You are free to revoke your consent at any time without giving reasons by clicking on “delete all my personal data” within the HealChain App. This does not affect the legality of the processing carried out up to that point.
If the last login date is more than 6 months old, the corresponding profile is automatically removed from the database and can no longer be matched with new HealChain Twins.
HealChain Twins can exchange information in a chat integrated in HealChain. Users must register for the feature and select a nickname before being matched with their HealChain Twin(s). This nickname can be edited in the settings. When Users exchange messages via the built-in chat, the end-to-end encrypted messages are stored on a public Ethereum blockchain.
For this purpose, HealChain App has provided a node that takes on the function of an intermediary to forward the chat message to the Ethereum blockchain. Before a message is transmitted and stored on the blockchain, it is fully encrypted locally on the patient's mobile device using end-to-end encryption. The private key needed to encrypt the message is stored on your physical device the whole time and is not shared with HealChain GmbH or other Users. Only when the encrypted message is received by the HealChain Twin, this message is decrypted with a corresponding key on the mobile device of the HealChain Twin who is to receive the message.
The purpose of this chat function is to enable the exchange of information and experiences in a simple way and without big hurdles, offering at the same time a high level of security. The processing is based on your consent (Art. 6 (1) (a) and Art. 9 (b) (a) of the GDPR) which is provided by clicking on “Accept and Continue” button upon activation of this feature. You are free to revoke your consent at any time without giving reasons by clicking on “delete all my personal data” within the HealChain App. This does not affect the legality of the processing carried out up to that point. In this case, the chat associated with your profile will be deleted from your device, however the chat history will remain available to your HealChain Twin. Same effect shall occur if you block your HealChain Twin.
The server location cannot generally be assigned to a specific country due to the blockchain infrastructure (Public Ethereum blockchain), but by encrypting the chat content using a public key encryption method, the data is not recognizable by anyone else.
Hashed metadata is not stored on the Ethereum blockchain.
Processing of personal data when using My Data Vault
The “My Data Vault” feature is offered via the HealChain App. This allows Users to upload their medical documents and store them in predefined folders.
The documents are encrypted and assigned to the User's account. For this purpose, a secondary ID is generated for the uploaded documents, which is derived from the User's email ID, the unique ID of the document, the hash ID of the document, and the uploaded size of the document in bytes.
The documents are encrypted using an asymmetric encryption method. The User has the private key, so no third parties can access the contents of the folders. HealChain App also accesses the key in an automated process to enable the User to download or share the data with other HealChain App Users. Documents are viewed only by HealChain App administrators with a GDPR certification and only for the readability and evaluation of report type. The User can delete the uploaded medical documents at any time.
The processing is based on your explicit consent (Art. 6 (1)(a) and Art. 9 (2) (a) of the GDPR) which is provided by clicking on “Accept and Continue” button upon activation of this feature. You are free to revoke your consent at any time without giving reasons by clicking on “delete all my personal data” within the HealChain App. This does not affect the lawfulness of the processing carried out up to that point.
HealChain App ensures a high level of data security through the encryption techniques used, whereby the exclusive control over the uploaded documents lies with the respective User. Due to this data sovereignty, we are not able to delete the stored documents for the User, as only the User has the private key, which is required for a deletion.
Recipients of your personal data
We may share your personal data with third parties, if: (i) you have consented to such disclosure; (ii) we are under a legal obligation to do so; (iii) it is necessary for the purpose of legal proceedings or in relation thereto, or to exercise or protect our rights; (iv) we are required to disclose your personal data to new entities or third parties due to organizational changes within HealChain GmbH or in connection with the transfer of our business or any part thereof; (v) we may disclose anonymous statistical data about our website Users' browsing actions and related User information to reliable third parties, including browser providers and analysts.
We may also share your personal data with some reliable third parties in accordance with contracts entered into with them. They include, in particular our professional advisors and auditors and third-party suppliers to whom we outsource certain services, such IT technology providers.
Your personal data may be disclosed to public authorities, courts and law-enforcement agencies solely for the reasons set forth in this document and/or where required by applicable laws. Unless prohibited by applicable laws and regulations, we will use all reasonable endeavors to notify you in advance of any such disclosure.
Your rights
You have the following rights towards us regarding your personal data:
Right of access (Art.15 of the GDPR), i.e. right to obtain confirmation from us as to whether or not your personal data are being processed, and, where that is the case, to access such personal data and obtain information as to scope, method, purpose and duration of such processing;
Right to rectification or erasure (Art.16 and 17 of the GDPR), i.e. to request correction of inaccurate or amendment of incomplete personal data related to you and the right, under the conditions set out in GDPR, to have your personal data deleted for example in cases when such data are no longer necessary in relation to the purposes for which they were collected, consent to their processing has been withdrawn, objection to their further processing has been made or they were processed unlawfully;
Right to restriction of processing (Art.18 of the GDPR), i.e. to restrict processing of your personal data for example when the accuracy of personal data is contested or the personal data were unlawfully processed;
Right to object to the processing (Art.21 of the GDPR), i.e. right to object to further processing of your personal data for example in cases where the processing is based on legitimate interest;
Right to data portability (Art.20 of the GDPR), i.e. right to receive your personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller, under the conditions set out in GDPR and to the extent of our technical capabilities;
Right of withdrawal of your consent (Art. 7 para. 3 of the GDPR) at any time by the methods set out above or by emailing to the above addresses.
You also have the right to complain to a data protection supervisory authority of your choice about the processing of your personal data by HealChain GmbH. Our lead supervisory authority is:
Hessische Beauftragte fur Datenschutz und Informationsfreiheit Gustav-Stresemann-Ring 1
Postfach 3163
65189 Wiesbaden, Germany
Phone: +49 (0)611 14080
For the United Kingdom Users the applicable law, regarding their data protection and privacy, is the Data Protection Act 2018 and the respective articles of such.