MedAdvance.
Data Protection Declaration

Revision 1 Effective Date: November 6, 2022

GDPR Hero Image

Data Protection Declaration of MedAdvance

Revision 1, November 6, 2022, 7:25 p.m.

The provision of the services owed by contract and marketed via this website, as well as the collection and processing of personal data in this context, is carried out using technology and resources of MedAdvance, Inc., Level 85, One World Trade Center, New York City NY 2000 United States. As a result, MedAdvance as the person responsible within the meaning of Art. 4 No. 7 GDPR provides the following data protection declaration in accordance with Art. 13 GDPR.

A. GENERAL INFORMATION ON DATA PRIVACY
1. INFORMATION ON THE COLLECTION OF PERSONAL DATA

1.1 In the following we inform you about the collection and processing of personal data when using our website www.medadvance.app (same as the URLs with other country codes, hereinafter referred to as "website") or the mobile app "MedAdvance app" (hereinafter referred to as "consumer app") the business app "MedAdvance business app" (hereinafter referred to as "business app") or which you can download to your mobile device. Where difference arise between the processing of personal data when using website and mobile App we will inform you in detail in Section B (website) or Section C (consumer or business app). Personal data means individual information on personal or factual circumstances being attributable to an identified or identifiable natural person.

1.2 The entity responsible according to Art. 4 para. 7 GDPR (General Data Protection Regulation) is MedAdvance, Inc and its subsidiaries (hereinafter also referred to as "MedAdvance" or "we"), Level 85, One World Trade Center, New York City NY 2000 United States. You can contact our data protection officer by sending a message via our contact page.

1.3 When contacting us by e-mail, the data you provide (your e-mail address, if applicable your first and last name and your telephone number) will be stored by us in order to answer your questions. We delete the data acquired in this context once no further storage is necessary or reduce the processing if further retention is required by law.

2. SUBJECT OF THIS DATA PROTECTION DECLARATION

This privacy policy applies to all services offered on our website or mobile app. This Data Protection Declaration exclusively deals with the handling of personal data by MedAdvance. In case our services are performed by subcontractors, you will find the information on the respective procedures below. In case you make use of services provided by third parties via the website, the data protection regulations of the respective third parties apply exclusively. MedAdvance does not check the data protection regulations of third parties.

3. COLLECTION AND PROCESSING OF PERSONAL DATA WHEN USING OUR SERVICES

We collect, store and process personal data in accordance with Art. 6 Para. 1 lit. b) GDPR for the entire handling of the transportation services (in particular service arrangement and accounting), including the handling of any warranty claims as well as the technical administration. Any and all personal data is processed exclusively in accordance with the provisions of the EU General Data Protection Regulation (GDPR).

3.1. CUSTOMER ACCOUNT/REGISTRATION

To be able to make use of the MedAdvance platform, consumer app or the business app, you first have to register as a user by entering the following personal data in connection with a password of your choice: First and last name, mobile phone number and e-mail address. We need this information in order to be able to identify you and to communicate with you. The legal basis is Art. 6 para. 1 sentence 1 lit. b) GDPR. It is obligatory to provide the aforementioned data; all further information can be provided voluntarily by using our platform. We will then set up a password-protected direct access to your data stored with us in your customer account. Here you can view all information about medical billing and manage and change all details in the protected customer area.

3.2 USE OF OUR SERVICES

3.2.1 To make use of our platform we need your correct first and last name, your email address, mobile phone number and specific payment information. You can decide between the following methods of payment: credit card, invoice or electronic direct debit (ELV). Depending on the chosen payment method we may need your credit card information or billing information. We need the first and last name, e-mail address and mobile phone number to confirm the services provided, identify you as a user and communicate with you. We need the credit card information or billing information to process the payment.

3.2.2 If you use our platform or our mobile apps, we will store your data required for the performance of the contract as listed in Section 3.2 (1) in accordance with Art. 6 Para. 1 Sentence 1 lit. b) GDPR. Furthermore, we store the data provided by you voluntarily for the duration of your use of the portal, provided that you do not delete it before. The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR.

3.2.3 In order to prevent unauthorized access to your personal data, especially payment information, the connection is encrypted using TLS technology.

3.2.4 It is your obligation to treat the personal access data confidentially and not to make them accessible to any unauthorized third parties. We do not assume any liability for the abuse of passwords, unless we are responsible for the abuse.

3.2.5 Your personal data will only be passed on or otherwise communicated to third parties if this is necessary (i) for the purpose of performing our contractual obligations or (ii) the handling of payment transactions or (iii) if there is a legitimate interest of MedAdvance or the third party or (iv) if you have previously given your consent. The legal basis is Art. 6 para. 1 sentence 1 lit. b), f) GDPR or Art. 6 para. 1 sentence 1 lit. a) GDPR. This means that other external providers of services (external partner) as well as their respective employees executing services receive the necessary information (first and last name, mobile phone number, service provisions, enquiries as well as information on extra requests) via the website and mobile app. Moreover, for credit card payment purposes the payment processors Stripe (for further information see point 3.3) receive the necessary information (first and last name, mobile phone number, credit card information).

In addition to the before-mentioned third parties, your data will be processed by internal software within our business enabling us to provide customer support and to perform services. All software tools are GDPR compliant and the data is exclusively processed on an as-needed basis. Your data might be processed by employees of subsidiaries of MedAdvance, which are obliged to comply with the same strict GDPR rules as MedAdvance itself. The data passed on in this way may only be used by these third parties for the fulfillment of their tasks. Any other use of the above information is prohibited.

3.2.6 You will receive system announcements, notifications and further information from the platform or the invoice (in case you choose this option in your user profile) and updates regarding your services via your email address. For the purpose of sending you this kind of system e-mails we may use the mailing services of SendGrid, a service of SendGrid, Inc. (hereinafter referred to as "SendGrid").

For that purpose, we transfer your email address, name, last name and trip details to SendGrid where it is stored only for the period necessary to fulfill the purpose as described before. The legal basis is Art. 6 Para. 1 lit. b) GDPR.

The Commission Decision (EU) 2016/1250 of 12.07.2016 allows the transfer of data from an EU controller or processor of orders to organizations in the US that have committed themselves to adhere to the framework principles of the EU-US Data Protection Shield, including the additional principles, by way of self-certification with the US Department of Commerce. SendGrid is subject to these principles through self-certification with the U.S. Department of Commerce.

Information of the third-party provider SendGrid on data protection is available at:

https://sendgrid.com/policies/privacy/

3.2.7 We use your mobile phone number to send you notifications or registration links from the platform. For the purpose of sending you SMS we use Twilio, a service of Twilio Inc. (hereinafter referred to as "Twilio"), "), 645 Harrison St # 3rd Floor, San Francisco, CA 94107 USA.

For that purpose, we transfer your mobile phone number to Twilio where it is stored until you delete your MedAdvance user account. Then we will order the deletion of your data. The legal basis is Art. 6 Para. 1 lit. b) GDPR.

The Commission Decision (EU) 2016/1250 of 12.07.2016 allows the transfer of data from an EU controller or processor of orders to organizations in the US that have committed themselves to adhere to the framework principles of the EU-US Data Protection Shield, including the additional principles, by way of self-certification with the US Department of Commerce. Twilio is subject to these principles through self-certification with the U.S. Department of Commerce.

Information of the third-party provider Twilio on data protection is available at:

https://www.twilio.com/legal/privacy

3.2.8 To be able to use our services in a country outside the European Union (hereinafter referred to as "third country") the transfer of your personal data to the external service partner as well as to the respective employees in such a third country is necessary for the performance of our contractual obligations. The legal basis for the data transfer is an Adequacy Decision according to Art. 45 Para. 1 GDPR when the European Commission has decided ensures an adequate level of protection. If an adequate level of data protection cannot be guaranteed the legal basis is Art. 49 Para. 1 sentence 1 lit. b) GDPR.

You can find a list of all Adequacy Decisions by the European Commission here:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

4. CREDIT CARD DATA FOR THE PAYMENT OF THE SERVICES

In the following we inform you about the data processing in case you choose to pay by credit card. We want to underline that MedAdvance systems meet the highest security standard and are certified by PCI-DSS (Payment Card Industry Data Security). The credit card information only needs to be entered once when the first registration is made. The entered information is protected against unauthorized access. MedAdvance does not store the information. MedAdvance uses a certified payment provider named Stripe (Stripe Payments Europe Ltd., The One Building 1 Grand Canal Street Lower, Dublin 2, Ireland), whose systems are also PCI-DSS-certified. In order to increase the convenience of recurring transactions, the credit card data is stored for an extended period of over one year at the commissioned PCI-DSS-certified payment provider and will be deleted when you delete your MedAdvance user account. Further information on the use of your payment data can be found in Section 3.2 (5).

5. USE OF ADYEN FOR PAYMENT BY INVOICE OR ELV

In the following we inform you about the use of Adyen in case you choose to pay by bank transfer or ELV through the payment provider Adyen. In this case you have to store your bank details. Then the payment is made when you press the button in your account as ELV. Alternatively, Adyen will send you a fifteen-digit token and its banking information. Into this account you will have to pay the specific fee

6. NEWSLETTER

6.1 Our newsletter provides information about us and our services. If you would like to receive the newsletter, we need a valid email address from you. For the registration for our newsletter we use the so-called double opt-in procedure. This means that after your registration we will send you an email to the specified e-mail address asking you to confirm that you would like to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the time of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible abuse of your personal data.

6.2 The only information for sending the newsletter is your email address. After your confirmation we will save your email address for the purpose of sending you the newsletter. The legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR.

6.3 We use SendGrid, a service of SendGrid, Inc. component for sending our newsletters on the basis of Art. 6 Par. 1 S. 1 lit. f) GDPR. SendGrid is a service provided by SendGrid, Inc., 645 Harrison St # 3rd Floor, San Francisco, CA 94107 USA.

If you subscribe to our newsletter, your email address will be transmitted to a server of SendGrid in the USA and stored there as long until you decide to unsubscribe as explained in Section 4.4.

According to the Commission implementing Decision (EU) 2016/1250 of 12.07.2016, the transfer of data from an EU controller or order processor to organizations in the US who have committed themselves to adhere to the framework principles of the EU-US Privacy Shield, including the additional principles, by way of self-certification with the US Department of Commerce, is permitted. MailChimp is subject to these principles through self-certification by the US Department of Commerce. Further information about data protection at SendGrid can be found here:

https://sendgrid.com/policies/privacy/

6.4 At the bottom of each newsletter you will find a link to unsubscribe at any time. You can also unsubscribe from the newsletter at any time by sending a message to the e-mail address under Section 1.2. If the newsletter is canceled, the personal data stored for the purpose of providing the newsletter will be deleted, unless there is a legal obligation to keep it in safekeeping.

7.SAFE DATA TRANSMISSION

Your personal data is transmitted securely by encryption. This applies to the order and also to the customer login. We use the TLS coding system. No one can guarantee absolute protection. However, we secure our website and other systems through technical and organizational measures.

8. RIGHT OF AFFECTED PERSONS

8.1 In accordance with Art 15 GDPR, you have the right, upon request and free of charge, to receive information about the personal data that has been stored about you. In accordance with Articles 16, 17 and 18 of the GDPR, you also have the right to have incorrect data corrected and your personal data blocked, deleted or processed to a limited extent. Under the conditions laid down in Art. 20 of the GDPR, you are also entitled to receive the personal data concerning you that have been stored in a structured, common and machine-readable format and to transmit this data to another person responsible without any impediment by MedAdvance. In addition, according to Art. 21 para. 1 GDPR you are entitled to object to the processing of personal data relating to you, which is carried out on the basis of Art. 6 para. 1 lit. e) or f) GDPR, for reasons arising from your particular situation. MedAdvance will fulfill your aforementioned claims, provided that the legal requirements for the assertion of the respective claims are satisfied.

8.2 Any requests for your personal data should be made to the address specified under item 1 of this data protection declaration.

8.3 You are also entitled to file a complaint with a data protection supervisory authority regarding our processing of your personal data.

9. DURATION OF STORAGE AND ROUTINE DELETION

9.1 We process and store personal data only during the period necessary to realize the purpose of processing or during the period of time and to the extent provided for in laws or regulations applicable to the controller.

9.2 If the storage purpose ceases to apply or a legally prescribed storage period expires, the personal data will be blocked or deleted as a matter of routine and in accordance with the statutory provisions.

B. FURTHER INFORMATION ON THE USE OF OUR WEBSITE
1. COLLECTION OF PERSONAL DATA WHEN USING OUR WEBSITE
1.1 ACCESS DATA/ SERVER-LOGFILES

In case our website is exclusively used for information purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server (server log files/access data). If you wish to view our website, we collect the following data on the basis of Art. 6 Par. 1 S. 1 lit. f) GDPR, which is technically necessary for us to display our website to you and to guarantee stability and security:

Name and content of the accessed website, IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), the amount of data transferred, access status/HTTP status code (referrer URL), browser type, your operating system and its interface, language and version of the browser software.

1.2 COOKIES

1.2.1 We use cookies on our website. A cookie is a small file your browser creates automatically and that is stored on your access device (PC, Laptop, smartphone, etc.) when you are visiting our website. Cookies cannot run programs or transmit viruses to your computer. The cookie stores certain information related to the access device. This does not mean that we become aware of your identity directly. Cookies are used on the basis of Art. 6 Par. 1 lit. f) GDPR.

1.2.2 We are using so-called session cookies to recognize that you visited certain pages of our websites. Those cookies will be deleted automatically at the time you leave our website. We also use temporary cookies to optimize the usability of our website and which are stored on your device during a certain period. In case you visit our website again to use our services, you and the inputs or settings you made will be recognized automatically, so you do not have to repeat it.

1.2.3 On the other hand, we use cookies to collect statistical data via third party services on your website and to analyze the data for optimization of the usability of our website (more details in Sect. B. 2). Those cookies will be deleted after a certain period.

1.2.4 You can enable or disable cookies via the settings in your browser. However, not all interactive features of our website may be available if you disable cookies. You can find more information on how to prevent the use of cookies in each relevant section for the different services.

2. INTEGRATION OF SERVICES OF THIRD PARTIES
2.1 USE OF GOOGLE ANALYTICS

2.1.1 This website uses Google Analytics, a web analysis service of Google Inc, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies (more details in B.2.1.) r, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is generally transmitted to and stored by Google on servers in the United States.

2.1.2 The Commission Decision (EU) 2016/1250 of 12.07.2016 allows the transfer of data from an EU controller or processor of orders to organizations in the US that have committed themselves to adhere to the framework principles of the EU-US Data Protection Shield, including the additional principles, by way of self-certification with the US Department of Commerce. Google is subject to these principles through self-certification with the U.S. Department of Commerce.

2.1.3 However, if IP anonymization is activated on our website, Google will reduce your IP address beforehand within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymization is active on this website. On behalf of MedAdvance, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website and Internet use in comparison with MedAdvance. Legal basis for the use of Google Analytics is Art. 6 Par. 1 S. 1 lit. f) GDPR.

2.1.4 The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link:

https://tools.google.com/dlpage/gaoptout

You can find further information on the data use by Google here:

https://www.google.com/analytics/terms/us.html (User Terms and Conditions)

https://support.google.com/analytics/answer/6004245?hl=en (Overview regarding Data Protection)

https://policies.google.com/privacy (Data Protection Declaration)

2.2 USE OF GOOGLE ADWORDS CONVERSION

2.2.1 We use the offer of Google Adwords to draw attention to our attractive offers with the help of advertising materials (so-called Google Adwords) on external websites. We can determine in relation to the data of the advertising campaigns how successful the individual advertising measures are. We are interested in showing you advertisements that are of interest to you, to make our website more interesting for you and to achieve a fair calculation of advertising costs. The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f DS-GVO.

2.2.2 These advertising media are delivered by Google via so-called "Ad Servers". For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as the insertion of ads or clicks by users, can be measured. If you access our website via a Google ad, Google Adwords stores a cookie on your PC. These cookies usually expire after 30 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (mark that the user no longer wishes to be addressed) are usually stored as analysis values.

2.2.3 These cookies enable Google to recognize your Internet browser. If a user visits certain pages of an Adwords customer's website and the cookie stored on their computer has not expired, Google and the customer can recognize that the user has clicked on the ad and has been redirected to this page. Each Adwords customer is assigned a different cookie. Cookies cannot therefore be traced via the websites of Adwords customers. We do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. On the basis of these evaluations we can recognize which of the used advertising measures are particularly effective. We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information.

2.2.4 Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no influence on the extent and the further use of the data which are raised by the use of this tool by Google and inform you therefore according to our knowledge: By the integration of AdWords conversion Google receives the information that you called the appropriate part of our Internet appearance or clicked an announcement of us. If you are registered with a Google service, Google may associate your visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address.

2.2.5 You can prevent participation in this tracking procedure in various ways: a) by setting your browser software accordingly, in particular by suppressing third-party cookies, you will not receive any ads from third-party providers; b) by deactivating cookies for conversion tracking, by setting your browser so that cookies are blocked by the domain https://ads.google.com/home/, https://www.google.com/settings/ads , this setting being deleted when you delete your cookies; c) by deactivating the interest-based ads of the providers that are part of the "About Ads" self-regulation campaign via the link https://www.aboutads.info/choices, this setting being deleted when you delete your cookies; d) by permanently deactivating Firefox, Internet Explorer or Google Chrome in your browsers under the link https://www.google.com/settings/ads/plugin. Please note that in this case you may not be able to use all functions of this offer in full.

Further information on data protection at Google and Google Adwords Conversion can be found here:

https://policies.google.com/privacy?hl=en-US and https://services.google.com/sitestats/en.html.

Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at https://www.networkadvertising.org

3. USE OF HOTJAR

3.1 This website uses the web analysis service Hotjar, a software of the European company Hotjar Ltd, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta, to analyze and regularly improve the use of our website. The legal basis for the use of Hotjar is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

3.2 Cookies (more details in B.2.1.) are stored on your computer for this evaluation. Hotjar provides us with videos from the website, so the data you enter in your user profile is visible, e.g. name, last name, mobile, email. The information collected in this way is transmitted anonymously to the Hotjar servers in Ireland and stored there for one year and not passed on to other third parties. The amount of time the cookie is stored varies depending on the type of cookie. For more information, please visit https://help.hotjar.com/hc/en-us/articles/6952777582999-Cookies-Set-by-the-Hotjar-Tracking-Code. To prevent Hotjar from collecting the data, please follow the instructions at https://www.hotjar.com/opt-out, which are also available in the German language.

3.3 Information of the third-party provider Hotjar on data protection is available at https://www.hotjar.com/privacy.

4. USE OF HUBSPOT

4.1 We use GDPR components of the provider HubSpot on our website on the basis of Art. 6 para. 1 lit. f). HubSpot is a service of HubSpot, Inc, 1 Harbour Pl, Suite 175. Portsmouth, NH 03801. United States. Through the HubSpot plugin to analyze and regularly improve the use of our website, so that we can improve our services and increase their attractivity for you as a user. The legal basis for using the Salesforce.com plugins is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

4.2 According to the Commission implementing Decision (EU) 2016/1250 of 12.07.2016, the transfer of data from an EU controller or order processor to organizations in the US who have committed themselves to adhere to the framework principles of the EU-US Privacy Shield, including the additional principles, by way of self-certification with the US Department of Commerce, is permitted. Salesforce.com is subject to these principles through self-certification by the US Department of Commerce.

4.3 Information of the third-party provider HubSpot on data protection is available at https://legal.hubspot.com/privacy-policy

5. USE OF THE FACEBOOK SOCIAL PLUGINS (LIKE BUTTON)

5.1 We use GDPR components of the provider facebook.com on our website on the basis of Art. 6 para. 1 lit. f). Facebook is a service of Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA. Through the Facebook plugin we offer you the possibility to interact with Facebook and other users, so that we can improve our services and increase their attractivity for you as a user. The legal basis for using the Facebook plugins is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

5.2 Each time you visit our website, which is equipped with such a component, this component causes the browser used by you to download a corresponding representation of the component from Facebook. This process informs Facebook which specific page of our website you are currently visiting.

5.3 If you visit our website while logged in to Facebook, Facebook recognizes which specific page you are visiting through the information collected by the component and assigns this information to your personal account on Facebook. For example, if you click the "I like" button or make comments, this information is transferred to your personal user account on Facebook and stored there. In addition, the information that you have visited our site will be shared with Facebook and stored until you delete your Facebook account. This is independent of whether you click on the component or not. If you are not a member of Facebook, it is still possible for Facebook to obtain and store your IP address. According to Facebook, only an anonymized IP address is stored in Germany.

5.4 If you wish to prevent Facebook from transmitting and storing data about you and your behavior on our website, you have to sign out of your Facebook account before you visit our site. Facebook's privacy policy provides more detailed information, in particular about Facebook's collection and use of the data, your rights in this regard and the setting options for protecting your privacy: https://www.facebook.com/privacy/policy/

Facebook has adhered to the EU-US-Privacy-Shield:

https://www.privacyshield.gov/EU-US-Framework

5.5 You also have the right to object to the creation of these user profiles by Facebook, whereby you must contact Facebook to exercise this right.

6. INTEGRATION OF GOOGLE MAPS

6.1 On this website we use Google Maps, a service of Google (Further information on Google can be found in section B.2.1.). This allows us to display interactive maps directly on the website and enables you to conveniently use the map function. The legal basis for s is Art. 6 Par. 1 S. 1 lit. a), b) or f) GDPR.

6.2 By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. In addition, the data mentioned under section B.1.1. of this declaration will be transmitted. This is regardless of whether Google provides an user account that you are logged in to, or whether no user account exists. If you are logged in to Google, your information will be directly associated with your account. If you do not wish to be associated with your profile on Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation takes place in particular (even for unlogged-in users) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. Google Maps retains ID-associated data for 60 days. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

6.3 Further information on the purpose and scope of data collection and the further processing and use of the data by Google as well as your rights in this regard and options for setting up your privacy can be found here:

https://policies.google.com/privacy?hl=en-US

C. FURTHER INFORMATION ON THE USE OF THE CONSUMER APP
1. COLLECTION OF PERSONAL DATA WHEN USING OUR CONSUMER APP
1.1 ACCESS DATA

1.1.1 When downloading the mobile app, the necessary information is transferred to the App Store (Apple App Store and Google Play), i.e. in particular the name, e-mail address and customer number of your customer account, time of download, payment information and the individual device identification number. We have no influence on this data collection and shall not be responsible for it. We only process the data if it is necessary for downloading the mobile app to your mobile device.

1.1.2 When using the mobile app, we collect the personal data described below to enable convenient use of the functions. If you want to use our mobile app, we collect the following data on the basis of Art. 6 Par. 1 S. 1 lit. f) GDPR, which is technically necessary for us to offer you the functions of our mobile app and to guarantee stability and security:

Name and content of the accessed website, IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), the amount of data transmitted, access status/HTTP status code (Referrer URL), browser type, your operating system and its interface, language and version of the browser software.

1.1.3 We also require your device identification, unique number of the end device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WIFI use, name of your mobile device and your e-mail address.

1.2 COOKIES

The mobile app does not use any cookies.

2. INTEGRATION OF SERVICES OF THIRD PARTIES
2.1 INTEGRATION OF GOOGLE MAPS

2.1.1 This mobile app uses Google Maps, a service of Google (further information on Google can be found in section B.2.1.). This enables us to display interactive maps directly in the mobile app and enables you to use the map function conveniently. The legal basis for s is Art. 6 Par. 1 S. 1 lit. a), b) or f) GDPR.

2.1.2 By using our mobile app, Google receives the information that you have accessed the corresponding subpage in our app. In addition, the data mentioned under section C.1. of this declaration will be transmitted. This is regardless of whether Google provides an user account that you are logged in to, or whether no user account exists. If you are logged in to Google, your information will be directly allocated to your account. If you do not wish to be associated with your profile on Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation takes place in particular (even for unlogged-in users) to provide demand-oriented advertising and to inform other users of the social network about your activities in our app. Google Maps retains ID-associated data for 60 days. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

2.1.3 Further information on the purpose and scope of data collection and the further processing and use of the data by Google as well as your rights in this regard and options for setting up your privacy can be found here:

https://policies.google.com/privacy?hl=en-US

2.2 USE OF GOOGLE ANALYTICS

2.2.1 This app uses Google Analytics, a mobile analysis service of Google (you can find further information on Google in section B.2.1.). Google Analytics uses the Instance ID of your mobile device to identify individual installations of this mobile app. Since each Instance id is unique to a particular app and device, they give Google Analytics a way to refer to specific app instances.

2.2.2 However, if IP anonymization is activated on the mobile app, Google will reduce your IP address beforehand within the Member States of the European Union or in other states party to the Agreement of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymization is active on this mobile app. On behalf of MedAdvance, Google will use this information to evaluate your use of the mobile app, to compile reports on mobile app activity and to provide other services relating to the mobile app and internet use in comparison with MedAdvance. The IP address transmitted by the mobile app in the context of Google Analytics will not be merged with other Google data. Legal basis for the use of Google Analytics is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

2.2.3 You can prevent Google from collecting the data generated by the Instance ID and relating to your use of the mobile app (including your IP address) and from processing this data by opting-out in this mobile app’s settings.

2.3 USE OF HUBSPOT

2.3.1 We use GDPR components of the provider HubSpot on our website on the basis of Art. 6 para. 1 lit. f). HubSpot is a service of HubSpot, Inc, 1 Harbour Pl, Suite 175. Portsmouth, NH 03801. United States. Through the HubSpot plugin to analyze and regularly improve the use of our website, so that we can improve our services and increase their attractivity for you as a user. The legal basis for using the HubSpot plugins is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

2.3.2 According to the Commission implementing Decision (EU) 2016/1250 of 12.07.2016, the transfer of data from an EU controller or order processor to organizations in the US who have committed themselves to adhere to the framework principles of the EU-US Privacy Shield, including the additional principles, by way of self-certification with the US Department of Commerce, is permitted. Salesforce.com is subject to these principles through self-certification by the US Department of Commerce.

2.3.3 Information of the third-party provider HubSpot on data protection is available at https://legal.hubspot.com/privacy-policy

2.4 USE OF FIREBASE

2.4.1 This app uses Firebase, a mobile service of Google (you can find further information on Google in section B.2.1.). Firebase uses the Instance ID of your mobile device to identify individual installations of this mobile app. Since each Instance id is unique to a particular app and device, they give Firebase a way to refer to specific app instances. The information generated by the instance ID about your use of this mobile app is generally transmitted to and stored by Google on servers in the United States. Your IP address transmitted by this mobile app in the context of Firebase will not be merged with other google data. Legal basis for the use of Firebase is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

2.4.2 However, if IP anonymization is activated on the mobile app, will reduce your IP address beforehand within the Member States of the European Union or in other states party to the Agreement of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymization is active on this mobile app. On behalf of MedAdvance, Google will use this information to evaluate your use of the mobile app, to compile reports on mobile app activity and to provide other services relating to the mobile app and internet use in comparison with MedAdvance. The IP address transmitted by the mobile app in the context of Google Analytics will not be merged with other Google data.

2.4.3 We use the Firebase service Analytics to provide analytics and attribution information in case you use a mobile device with Android operating systems. Firebase Analytics collects Mobile ad IDs, Android mobile device IDs, Instance IDs, Analytics App Instance IDs. Firebase Analytics retains ID-associated data for 60 days and retains aggregate reporting and campaign data without automatic expiration, unless MedAdvance changes its retention preference in its Analytics settings or deletes its project.

2.4.4 We use the Firebase service Cloud Messaging in case you use a mobile device with Android operating system to determine which devices to deliver messages to by using Instance IDs. Firebase retains Instance IDs until we request deletion. After that, the personal data is deleted by firebase within 180 days.

2.4.5 We use the Firebase service Crashlytics in case you use a mobile device with Android operating system that tells us when your mobile app crashes. Therefore, Instance IDs and crash reports are transferred to Firebase. Firebase retains those personal data until we request deletion. After that, the personal data are deleted by firebase within 180 days.

2.4.6 We use the firebase service Dynamic links that uses device specs IDs in case you have a mobile device with iOs operating system to facilitate use of newly-installed mobile apps. Dynamic Links only stores devices specs temporarily, to provide the service.

2.4.7 We use the Firebase service Performance Monitoring that uses Instance IDs to monitor the mobile app’s function and to react on specific instances. Performance monitoring retains instance-associated events for 30 days. Firebase retains Instance IDs until we request deletion. After that, the personal data are deleted by firebase within 180 days.

2.4.8 You can prevent Google from collecting the data generated by the Instance ID and relating to your use of the mobile app (including your IP address) and from processing this data by opting-out in this mobile app’s settings.

2.4.9 You can find further information on the data use by Google through Firebase here:

https://firebase.google.com/terms/data-processing-terms

https://firebase.google.com/terms/

https://firebase.google.com/support/privacy/manage-iids

https://firebase.google.com/support/privacy/

2.5 USE OF DOCUSIGN

2.5.1 We use GDPR components of the provider Docusign on our website on the basis of Art. 6 para. 1 lit. f). Docusign is a service of Docusign, 221 Main St., Suite 1000 San Francisco, CA 94105, USA. When our customers use Docusign Services, they process and store certain information on their behalf as a data processor. For example, in DocuSign Signature when a customer (or the customer’s Authorized Users) upload contracts or other documents for review or signature, they act primarily as a data processor and process information on the customer's behalf and in accordance with their instructions. In those instances, the customer as the data controller is responsible for most aspects of the processing of the information.

2.5.2 According to the Commission implementing Decision (EU) 2016/1250 of 12.07.2016, the transfer of data from an EU controller or order processor to organizations in the US who have committed themselves to adhere to the framework principles of the EU-US Privacy Shield, including the additional principles, by way of self-certification with the US Department of Commerce, is permitted. Docusign is subject to these principles through self-certification by the US Department of Commerce.

2.5.3 Information of the third-party provider Docusign on data protection is available at https://www.docusign.com/company/privacy-policy.

D. FURTHER INFORMATION ON THE USE OF THE BUSINESS APP
1. COLLECTION OF PERSONAL DATA WHEN USING OUR BUSINESS APP
1.1 ACCESS DATA

1.1.1 When downloading the mobile app, the necessary information is transferred to the App Store (Apple App Store and Google Play), i.e. in particular the name, e-mail address and customer number of your customer account, time of download, payment information and the individual device identification number. We have no influence on this data collection and shall not be responsible for it. We only process the data if it is necessary for downloading the mobile app to your mobile device.

1.1.2 When using the mobile app, we collect the personal data described below to enable convenient use of the functions. If you want to use our mobile app, we collect the following data on the basis of Art. 6 Par. 1 S. 1 lit. f) GDPR, which is technically necessary for us to offer you the functions of our mobile app and to guarantee stability and security:

Name and content of the accessed website, IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), the amount of data transmitted, access status/HTTP status code (Referrer URL), browser type, your operating system and its interface, language and version of the browser software.

1.1.3 We also require your device identification, unique number of the end device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WIFI use, name of your mobile device and your e-mail address.

1.2 COOKIES

The mobile app does not use any cookies.

1.3 COLLECTION OF YOUR LOCATION DATA

The MedAdvance system makes use of GPS positioning to ensure verification of transaction location. You may only use this function after you have previously given your consent by using the respective pop-up window that we may collect your location data via GPS and your IP address in anonymized form for the purpose of arranging trips. You may at any time allow or revoke this setting in the settings of your operating system and activate or deactivate the access to your location there. Your location will only be communicated to us if you have activated access to your location. The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a) or f) GDPR.

2. INTEGRATION OF SERVICES OF THIRD PARTIES
2.1 INTEGRATION OF GOOGLE MAPS

2.1.1 This mobile app uses Google Maps, a service of Google (further information on Google can be found in section B.2.1.). This enables us to display interactive maps directly in the mobile app and enables you to use the map function conveniently. The legal basis for s is Art. 6 Par. 1 S. 1 lit. a), b) or f) GDPR.

2.1.2 By using our mobile app, Google receives the information that you have accessed the corresponding subpage in our app. In addition, the data mentioned under section C.1. of this declaration will be transmitted. This is regardless of whether Google provides an user account that you are logged in to, or whether no user account exists. If you are logged in to Google, your information will be directly allocated to your account. If you do not wish to be associated with your profile on Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation takes place in particular (even for unlogged-in users) to provide demand-oriented advertising and to inform other users of the social network about your activities in our app. Google Maps retains ID-associated data for 60 days. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

2.1.3 Further information on the purpose and scope of data collection and the further processing and use of the data by Google as well as your rights in this regard and options for setting up your privacy can be found here:

https://policies.google.com/privacy?hl=en-US

2.2 USE OF GOOGLE ANALYTICS

2.2.1 This app uses Google Analytics, a mobile analysis service of Google (you can find further information on Google in section B.2.1.). Google Analytics uses the Instance ID of your mobile device to identify individual installations of this mobile app. Since each Instance id is unique to a particular app and device, they give Google Analytics a way to refer to specific app instances.

2.2.2 However, if IP anonymization is activated on the mobile app, Google will reduce your IP address beforehand within the Member States of the European Union or in other states party to the Agreement of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymization is active on this mobile app. On behalf of MedAdvance, Google will use this information to evaluate your use of the mobile app, to compile reports on mobile app activity and to provide other services relating to the mobile app and internet use in comparison with MedAdvance. The IP address transmitted by the mobile app in the context of Google Analytics will not be merged with other Google data. Legal basis for the use of Google Analytics is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR.

2.2.3 You can prevent Google from collecting the data generated by the Instance ID and relating to your use of the mobile app (including your IP address) and from processing this data by opting-out in this mobile app’s settings.

2.3 USE OF FIREBASE

2.3.1 This app uses Firebase, a mobile service of Google (you can find further information on Google in section B.2.1.). Firebase uses the Instance ID of your mobile device to identify individual installations of this mobile app. Since each Instance id is unique to a particular app and device, they give Firebase a way to refer to specific app instances. The information generated by the instance ID about your use of this mobile app is generally transmitted to and stored by Google on servers in the United States. Your IP address transmitted by this mobile app in the context of Firebase will not be merged with other google data. Legal basis for the use of Firebase is Art. 6 Par. 1 S. 1 lit. a) or f) GDPR

2.3.2 However, if IP anonymization is activated on the mobile app, will reduce your IP address beforehand within the Member States of the European Union or in other states party to the Agreement of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymization is active on this mobile app. On behalf of MedAdvance, Google will use this information to evaluate your use of the mobile app, to compile reports on mobile app activity and to provide other services relating to the mobile app and internet use in comparison with MedAdvance. The IP address transmitted by the mobile app in the context of Google Analytics will not be merged with other Google data.

2.3.3 We use the Firebase service Analytics to provide analytics and attribution information in case you use a mobile device with Android operating systems. Firebase Analytics collects Mobile ad IDs, Android mobile device IDs, Instance IDs, Analytics App Instance IDs. Firebase Analytics retains ID-associated data for 60 days and retains aggregate reporting and campaign data without automatic expiration, unless MedAdvance changes its retention preference in its Analytics settings or deletes its project.

2.3.4 We use the Firebase service Cloud Messaging in case you use a mobile device with Android operating system to determine which devices to deliver messages to by using Instance IDs. Firebase retains Instance IDs until we request deletion. After that, the personal data are deleted by firebase within 180 days.

2.3.5 We use the Firebase service Crashlytics in case you use a mobile device with Android operating system that tells us when your mobile app crashes. Therefore, Instance IDs and crash reports are transferred to Firebase. Firebase retains those personal data until we request deletion. After that, the personal data is deleted by firebase within 180 days.

2.3.6 We use the firebase service Dynamic links that uses device specs IDs in case you have a mobile device with iOs operating system to facilitate use of newly-installed mobile apps. Dynamic Links only stores device specs temporarily, to provide the service.

2.3.7 We use the Firebase service Performance Monitoring that uses Instance IDs to monitor the mobile app’s function and to react on specific instances. Performance monitoring retains instance-associated events for 30 days. Firebase retains Instance IDs until we request deletion. After that, the personal data is deleted by firebase within 180 days.

2.3.8 You can prevent Google from collecting the data generated by the Instance ID and relating to your use of the mobile app (including your IP address) and from processing this data by opting-out in this mobile app’s settings.

2.3.9 You can find further information on the data use by Google through Firebase here:

https://firebase.google.com/terms/data-processing-terms

https://firebase.google.com/terms/

https://firebase.google.com/support/privacy/manage-iids

https://firebase.google.com/support/privacy/