Last update: 11 May 2021
App
Privacy Policy
florio® HAEMO App
florio® HAEMO Kids App
We appreciate your interest in florio HAEMO. This
product allows you to record and display data related to your haemophilia
disease, your treatment and your well-being. It includes the mobile application
florio HAEMO (the "App") and the optional florio HAEMO Kids
App. It also provides a web-based dashboard through which your physician can
monitor your data.
Health data contain most sensitive information, and
the protection of your data has highest priority for us. This Privacy Policy
("App Privacy Policy") explains which personal data are
processed when you download, sign-up to use and use the App or the florio HAEMO
Kids App, and how we use these data. The App Privacy Policy also contains a
description of your rights as a user as well as the rights of your Dependant if
you use the App for a Dependant. Please read this App Privacy Policy carefully.
The florio HAEMO App can be operated in two modes:
·
for managing your treatment as a patient;
·
for managing the treatment of another person (a “Dependant”), using the
Caregiver mode of the App. You can link the optional florio HAEMO Kids App to
your App when you use it in Caregiver mode.
A Dependant is your child or another person for
whom you care as legal guardian, custodian or supervisor, or whose
interests you attend to at the request of that person.
A Caregiver is a parent, legal guardian,
custodian, supervisor, or another person appointed or designated by the
Dependant to attend to the Dependants’ interests.
With this App Privacy Policy we provide the following
information to you:
·
If you use the App as a patient, it informs you about the processing of
your personal data.
·
If you use the App for a Dependant in Caregiver mode, it informs you
about the processing of the personal data of your Dependant, and the processing
of your Dependant’s personal data when your Dependant uses the florio HAEMO
Kids App.
·
If you are a Dependant, it informs you about the processing of your
personal data through the Caregiver’s App, and the processing of your personal
data when you use the florio HAEMO Kids App.
The use of the App is optional. If you do not want
your or your Dependant’s personal data to be processed pursuant to this App
Privacy Policy, please do not download or sign-up to use the App or the florio
HAEMO Kids App.
If you use the App for a Dependant in Caregiver mode,
you must use the App only in the best interests of the Dependant. Furthermore,
you must make sure that your Dependant is aware of this App Privacy Policy and
knows his/her rights as a data subject listed herein, especially his/her right
to withdraw consent that has been given by you in relation to his/her personal
data.
References made to “your personal data” or “your data”
in this App Privacy Policy should be read as referring to your personal data
and/or your Dependant’s personal data (when the App is used in Caregiver mode).
Florio GmbH
("Florio GmbH", "we" and "us"),
as controller within the meaning of the General Data Protection Regulation
("GDPR"), is responsible for the lawfulness of the processing
of your data.
You can
contact us at any time using the contact details below:
Florio GmbH
Wilhelm-Wagenfeld-Straße 22
80807 München
Germany
Phone: +49 89 321 977 090
Email: info@florio.com
You can contact the data protection officer at any
time using the contact details below:
Data Protection Officer
Florio GmbH
Wilhelm-Wagenfeld-Straße 22
80807 München
Germany
Email: privacy@florio.com
Personal data such as your name, address, telephone
number and email address are not required for the use of the App, except as
indicated in this App Privacy Policy. We process personal data only if you make
these data available to us on a voluntary basis.
We process your personal data listed below, including
sensitive health data, to the extent you make them available to us via the App:
·
information about your injections and medications (e.g., date/time
taken, dose, reason, brand of product, batch number, expiration date);
·
information about your bleedings (e.g., location on the body, time/date,
cause, type of bleeding such as muscle bleed, soft tissue bleeding, joint bleed
etc.), as well as photographs you may submit of such bleedings;
·
information about your workout sessions, including date, time, duration
and type of workout;
·
information relevant to your treatment (e.g., age, weight, height);
·
information about your treatment plan which your physician, with your
express consent, provides either through McMaster PopPK or through the florio
HAEMO dashboard;
·
information about your well-being, including date, time, and level of
your well-being;
·
information about severity of pain, including date, time, reason and
location;
· your
estimated factor level, which is calculated by the McMaster PopPK platform
operated by McMaster University in Canada. We receive your McMaster PopPK
identification number and your treatment plan as created by your physician from
the McMaster University and provide injection data to the McMaster University
in order to display your estimated factor level. No additional data is shared
with the McMaster University;
·
information on activity automatically collected and stored within the
last six months through your smartphone's functionalities or any other device,
such as a wearable (e.g. a smartwatch) that you use based on platforms such as
Apple HealthKit or Google Fit or Google Health Connect, depending on the
individually se-lected settings of your smartphone or device which may include
your activity levels (steps taken, heart rate, calories burned, walks and runs,
heart points, motion minutes, standing hours, stair-steps, basic energy consumption,
energy consumption during exertion, duration of a workout, rest-ing heart
rate), nutrition information, or sleep pattern data.
With your expressed consent, we also collect data
about your device and your use of the App in order to maintain and
improve security, to deliver updates and to better understand how users use our
App. Read more about this at https://live.florio.app/legal/patient.
The use of information received from Google Health Connect will adhere
to the Health Connect Permissions policy, including the Limited
Use requirements.
We process your data for the following purposes and on
the following legal bases:
·
to provide the App to the extent necessary for the performance of the
contract which we have concluded with you based on the terms of use for the App
according to Art. 6 (1) lit. b GDPR;
·
to provide customer support, respond to your questions or requests for
information and communicate with you to the extent this is necessary, for the
purposes of our legitimate interest in ensuring efficient and user-friendly
communication with the users according to Art. 6 (1) lit. f GDPR;
·
to improve the App's security to the extent this is necessary, for the
purposes of our legitimate interest in protecting the App and the information
processed in the App against risks, including the loss of data or unauthorised
access to data to Art. 6 (1) lit. f GDPR.
We also process your data, including sensitive health
data, for the following purposes and on the following legal bases:
·
to provide the individual functions of the App on the basis of your
explicit consent given to us according to
Art. 6 (1) lit. and Art. 9 (2) lit. a GDPR;
·
to improve the App on the basis of your separate optional consent given
to us according to Art. 6 (1) lit. and Art. 9 (2) lit. a GDPR;
·
to comply with local laws, for example on the reporting of any
incidents, to the extent this is necessary for compliance with a legal
obligation to which we are subject to or on the basis that such processing is
necessary for reasons of public interest according to Art. 6 (1) lit. c, f and
Art. 9 (2) lit. g GDPR;
·
to provide documentation for evidence purposes to the extent this is
necessary for the establishment, exercise or defence of legal claims, including
in connection with court proceedings according to Art. 6 (1) lit. f and Art. 9
(2) lit. f GDPR;
·
to understand how you access and navigate the App, on the basis of your
separate optional consent given to us according to Art. 6 (1) lit. a GDPR. For
this purpose, we use technologies on your device to customise and improve the
App through certain content and functionalities to offer you a more
personalised user experience. Read more about this at https://live.florio.app/legal/patient under Service Providers.
We can only make the App available to you if you
consent to the processing of your health data for the purposes outlined here,
except for the purposes that are indicated as optional. If you do not want your
health data to be processed for the outlined purposes, please do not sign-up
for or use the App. You can withdraw your consent at any time without the
lawfulness of processing your data prior to the withdrawal being affected.
However, in this case, you can no longer use the App.
We will furthermore anonymise your data, which means
that you can no longer be identified based on these data. These anonymised data
may then be processed for science and research purposes. We may also share the
anonymised data with third parties for science and research purposes if
approved by an external Data Governance Board. We have set up such independent
committee, consisting of external medical professionals and representatives of
patient organizations, to govern the use of anonymised data being shared with
third parties for science and research.
We will not use your personal data for marketing
purposes.
Your data
will not be shared with any third parties without your prior consent, unless
this is expressly stipulated in this App Privacy Policy or we are legally
obliged to do so. We may share your data as follows:
·
Your physician: the App requires that you link your
florio HAEMO account to the account of your physician, so that they can access
the health data provided by you via the App. Your data, including health data,
is shared with your physician and potentially also with other healthcare
professionals of his/her institution on the basis of your consent given to us
when signing up for the App. Your physician will directly provide you with
information on how, and for what purposes, they process your data, including
health data, and, if applicable, share them with third parties.
·
McMaster University (Canada): your
estimated factor level is calculated by McMaster University, which operates the
McMaster PopPK platform (https://www.McMasterPopPK.org).
Upon first login, the App receives your McMaster Pop PK identification number
and your treatment plan. For the calculation of your estimated factor level we
share your injection data with McMaster University. The App then retrieves your
estimated factor level from the McMaster PopPK platform and displays it. The
McMaster PopPK platform is provided and operated by McMaster University and not
by us. We have no control over the content of the calculated factor level and
cannot guarantee the accuracy of the results produced by the McMaster PopPK
platform. The use of, and information obtained from, the McMaster PopPK
platform is governed by the McMaster PopPK user agreement (available at https://www.McMasterPopPK.org/UserAgreement.aspx),
over which we have no control. In order to meet recordkeeping obligations,
McMaster University will retain copies of all data provided to the McMaster
PopPK platform. After anonymising this data, they may use them for software
improvement and for retrospective research studies based on prior approval by
Ethics Committees.
·
Caregivers: If you are a Dependant, and your
Caregiver uses the App in Caregiver mode and enters your personal data, then
your Caregiver receives data which has been generated based on the entered data
and that concerns you, for example your estimated factor level on the basis of
consent.
·
Service providers: we cooperate with third parties
that perform services and process data, some of which is personal data
(including health data), according to our instructions in relation to the App,
for the purposes of processing information or operating the App, as well as
providing content and programs. Such third parties are restricted from
processing the data for any purpose other than to provide these services. Read
more about this at https://live.florio.app/legal/patient under Service Provider.
·
Authorities: to the extent required by law or
necessary for the use in legal
proceedings, we may also share your personal data with local or foreign
government authorities, supervisory authorities, law enforcement authorities,
courts and tribunals, namely
o health
data
§
for the establishment, exercise or
defence of legal claims and
§
for reasons of public interest in the
area of public health;
o other personal data
§
for compliance with legal requirements and
§
on the basis of our legitimate interest.
For example, we may be
required by vigilance regulations to report any incidents to supervisory
authorities. Where we share your data with service providers acting as
controllers for these purposes, we do so on the basis of your corresponding
consent given to us when signing up for the App.
·
Potential asset purchasers: if we sell or transfer
assets or if we intend such sale or transfer, a merger or a company
restructuring, in particular for the purpose of due diligence processes, we may
transfer your personal data (except health data), to one or more third parties
in preparation of or as part of such transaction or restructuring, on the basis
of our legitimate interest for continuing business or making business
transactions or on the basis of your consent, where required.
·
Other categories of recipients: we may also
share your
o health
data with third parties where this is necessary for the
establishment, exercise or defence of legal claims or for the protection of
vital interests of a third party
o other
personal data with third parties where this is necessary for
the purposes of our own, or a third party’s, legitimate interests relating to
law enforcement, litigation, criminal investigation, protecting the safety of
persons, or to prevent death or imminent bodily harm, unless we deem that these
interests are overridden by your interests or fundamental rights and freedoms
which require the protection of your personal data.
The App is
hosted on servers in Germany, which means that your data are stored in Germany.
When using the App, injection data will be transmitted
to the McMaster PopPK platform in order to calculate and display the estimated
factor level in the App. McMaster PopPK is hosted and operated by McMaster
University in Canada, i.e. outside the European Economic Area ("EEA").
For the purpose of transferring your data to McMaster University in Canada, we
have taken security measures in order to protect your data, in particular by
implementing the standard contractual clauses adopted by the European Commission,
as amended or updated from time to time. If you have any questions about these
and other security measures we use for the data transfer outside the EEA, or to
request a copy of the applicable standard contractual clauses, you may contact
us at info@florio.com. See also
clause 4 of this App Privacy Policy under “Service providers”.
We take
reasonable steps to protect your data from loss, misuse, unauthorised access,
disclosure, alteration or destruction by taking security precautions that
provide for industry‑standard protection. However, data transmission over the
internet cannot be guaranteed to be 100% secure. The App is regularly tested by
external security experts, who probe our systems for vulnerabilities, and
confirm that defences against malicious attack or accidental data loss are as
strong as possible.
We will store
your data only for the period necessary to fulfil the purposes outlined in this
App Privacy Policy. After that we will delete your data in line with our
general data procedures, unless statutory retention obligations (in particular
due to commercial and tax law provisions) preclude this or a prolonged storage
is necessary in the specific individual case for the purposes of our legitimate
interests (the necessity of processing data for the establishment, exercise or
defence of legal claims).
Subject to
the statutory provisions, including the corresponding local laws, you have a
number of rights in connection with our processing of your personal data, which
we will outline in more detail below. To exercise these rights, including the
withdrawal of your consent, or if you have any questions, requests or
complaints about the processing of your data in relation to the App, please
contact info@florio.com.
·
Access: you have the right to request access to your
personal data processed by us and a copy of this data (right of access).
·
Rectification: you have the right to have any
incorrect data rectified and, taking into account the purposes of the
processing, to have incomplete personal data completed (right to
rectification).
·
Erasure: you have the right, if there are justified
grounds, to request the erasure of your data (right to erasure).
·
Restriction of processing: you have the right to
request the restriction of processing of your data, provided that the statutory
prerequisites apply (right to restriction of processing).
·
Data portability: you have the right to receive the
data provided by you in a structured, commonly used and machine-readable format
and to transmit those data to another controller or, to the extent that this is
technically feasible, have them transmitted by us (right to data portability).
·
Right to object: you have the
right, on grounds relating to your particular situation, to object to any
processing of your data for the purposes of legitimate interests pursued by us
or a third party (right to object).
·
Automated individual decision-making: you have the
right not to be subject to a decision based solely on automated processing,
including profiling, which produces legal effects concerning you or similarly
significantly affects you, provided the statutory prerequisites do not apply.
We do not conduct an automated decision-making.
·
Withdrawal of consent: you have the right to withdraw your
consent at any time without giving reasons and with effect for the future. This
also applies to consent given by a Caregiver in relation to your data. The
withdrawal of your consent will not affect the lawfulness of processing your
data based on consent before this consent was withdrawn.
·
Complaint: notwithstanding any other remedies, you are
also entitled anytime to file a complaint with a supervisory authority, for
example in your country of origin.
The App may
contain links to external websites that we believe may provide useful
information to the users of the App. This App Privacy Policy and the
obligations under it do not apply to such external websites (unless these
websites are owned by us and directly link to this App Privacy Policy). We
suggest contacting such external websites directly for information on their
privacy and security policies. We cannot be held liable for the content
provided on such websites.
We reserve
the right to make changes to the App Privacy Policy in the future. In case of
material changes (e.g., in particular, any changes that materially affect your
rights), we will notify you, such as on our website and/or publish a temporary
notice on the App. The App Privacy Policy in the respective applicable version
can be accessed and viewed on our App at any time.
* * *