Privacy Policy

Your privacy matters. Learn how we collect, use, and protect your personal data in accordance with GDPR and medical device regulations.
Table of Contents
Example H2

(As of 12/2024)

medaia GmbH (‘medaia’, “we”, ‘us’) considers it important to adequately protect your personal data. When processing personal data, medaia therefore complies with the applicable legal provisions on the protection, lawful handling and confidentiality of personal data, as well as on data security, in particular the EU General Data Protection Regulation (‘GDPR’), the Austrian Data Protection Act (“DSG”) and the Telecommunications Act (‘TKG’).

This privacy policy informs you about the nature, scope and purposes of the processing of your personal data when you use our SkinScreener app version 3 (‘SkinScreener’) to obtain a risk analysis of your individual skin cancer risk based on transmitted images of your moles, skin lesions and the like.

1. NAME AND ADDRESS OF THE CONTROLLER

The controller responsible for processing your personal data in accordance with data protection regulations is:

medaia GmbH

Am Eisernen Tor 5

8010 Graz

The contact details of the data protection officer are: datenschutz@skinscreener.at.

2. HOW IS YOUR PERSONAL DATA PROCESSED?

2.1 Use of SkinScreener

When you use SkinScreener, we process your personal data. We only process the data that you provide to us during onboarding and when using the app. This includes the following data in particular:

  • First and last name
  • Email address
  • Year of birth
  • Gender
  • Image documentation of skin lesions provided by you (health data)
  • Result of the automated risk assessment
  • Device ID
  • Password
  • Apple ID
  • Google ID

The processing of your personal data serves the purpose of authenticating your access to SkinScreener, thereby enabling the correct allocation of purchased scans or annual subscriptions. The data for authentication is provided by Apple or Google via their plugin. Furthermore, the transmitted images of your skin lesions are correctly allocated and evaluated, and you are granted access to your archived images in SkinScreener. The evaluated images enable a risk assessment with regard to any existing skin cancer risk.

In addition, the processing of your year of birth and gender serves to meet the requirements of post-market surveillance (ISO 13485:2016) in order to be able to make an even better and more accurate assessment of the correctness of the risk assessment.

Your personal data is processed (i) with regard to non-sensitive data for the fulfilment of the contract in accordance with Art. 6 (1) (b) GDPR and (ii) with regard to your health data on the basis of your express consent in accordance with Art. 6 (1) (a) GDPR and Art. 9 (2) (a) GDPR. You have the right to revoke your consent at any time with effect for the future. However, without your consent, we are not permitted to process your sensitive health data – this also means that SkinScreener cannot be provided. We ask for your understanding in this matter.

2.2. Post-market surveillance

In order to fulfil our legal obligations regarding post-market surveillance for medical devices and to further develop SkinScreener's artificial intelligence, we process some of your personal data from your use of SkinScreener in anonymised form, without it being possible to draw any conclusions about your person. For this purpose, the personal reference is deleted and replaced by an internal ID that can no longer be assigned to you.

In order to carry out post-market surveillance and further develop the artificial intelligence of our app, analysed images with risk assessment, gender and age are transmitted via an encrypted connection to the ISO-certified data centre (location: Germany, local storage there), stored and processed for research purposes, further development and market surveillance of SkinScreener medical devices.

2.3 UV index

We record your location in order to provide the UV index. The location-based UV index informs you about the local UV radiation level and, based on the information transmitted, informs you about the remaining time until you get sunburned.

2.4 Push notifications

We use push notifications within our app to send you relevant topics related to the app, including reminders to perform a self-check, reminders to undergo a dermatological examination at intervals you have chosen yourself, and reminders when the UV index exceeds the threshold you have chosen. You can give and withdraw your consent at any time via your app settings.

2.5 Customer feedback

The processing activities are carried out for the purpose of being able to respond to customer feedback and enquiries in a targeted manner within the scope of customer surveys. For this purpose, we require your email address or that of your Apple or Google account.

3. POSSIBLE RECIPIENTS

SkinScreener is ad-free and does not share any data with advertising service providers. Nor do we sell, rent or lend your personal data to third parties.

We only share your personal data to the extent necessary with the following external service providers (processors) who support us in providing our services:

IT service providers and/or providers of data hosting solutions or similar services;

Other service providers, providers of tools and software solutions who also assist us in providing our services and act on our behalf (e.g. providers of communication services); Payment service providers (such as PayPal or Stripe)

Our processors only process your data on our behalf and on the basis of our instructions so that we can provide our services to you.

Please note that some of our processors are located in the United States or other third countries outside the EEA, for which there is currently no adequate level of data protection according to the case law of the European Court of Justice. There is therefore a risk that your data may be processed by US authorities for control and surveillance purposes without effective legal recourse. With your express consent, you also agree, in accordance with Art. 49(1)(a) GDPR, that your data may be processed by third-party providers (some of which are based in the USA).

In addition, we transfer your personal data to the following recipients (controllers) to the extent necessary:

  • External third parties to the extent necessary on the basis of our legitimate interests (e.g. auditors and tax advisors, insurance companies in the event of insurance claims, legal representatives in the event of a claim);
  • Research institutions (only on the basis of your express consent);
  • Authorities, courts and other public bodies to the extent required by law (e.g. financial or data protection authorities).

In the event of a merger, acquisition or sale of all or part of our assets, you will be notified by email and/or by a prominent notice on our website of any change in ownership or use of personal data, as well as your choices regarding personal data.

4. STORAGE PERIODS AND DELETION

We will only retain personal data for as long as is necessary to fulfil the respective processing purposes, including the fulfilment of legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period if there is a complaint or if we reasonably believe that a legal dispute relating to our relationship with you is imminent. Our retention obligations may therefore continue to apply even if you no longer use the SkinScreener service.

When determining the appropriate storage period for personal data, we take into account the amount, nature and sensitivity of the personal data. We also consider the potential risk of harm from unauthorised use or disclosure and whether we can achieve these purposes by other means.

If the data is no longer necessary for the purposes pursued or legitimate interests and no other legal basis applies, we will delete the data as soon as the other legal basis no longer applies.

If you withdraw your voluntary consent or exercise your right to erasure, we will delete or anonymise all personal data and your health data that is not subject to any legal retention obligations within 30 days. If you do not request the proactive deletion of your personal data, all personal data, including your health data, will be automatically deleted or anonymised after three years of inactivity. No further action is required on your part.

All images recorded with the help of SkinScreener and rated as green, yellow or red, as well as the analyses and recommendations, are stored on your device. If the app is uninstalled from your device, all recorded images will also be deleted from your device.

Please note: Uninstalling the app does not delete the data we have processed up to that point. To delete the data, please proceed as described above.

5. PROTECTION OF DATA SUBJECT RIGHTS

You have the right to access, rectify, delete and restrict the processing of personal data by medaia. You can also withdraw your consent to the processing of personal data with future effect if the processing is based on your consent. You may have the right to receive the data you have provided in a structured, commonly used and machine-readable format (‘data portability’).

You have the right to object to data processing if there are reasons for this arising from your particular situation.

You also have the option of lodging a complaint with the data protection supervisory authority. The supervisory authority responsible for us is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, email: dsb@dsb.gv.at; tel: +43 1 52 1 52-0 (http://www.dsb.gv.at).

If you have any questions regarding your personal data, please contact us at datenschutz@skinscreener.at.

6. DATA SECURITY

Data security is very important to us. medaia uses appropriate technical and organisational measures to ensure the security of data processing to the best of its ability. In accordance with Art. 32 GDPR, this applies in particular to the protection of personal data against accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data that is transmitted, stored or otherwise processed (in particular, encrypted transmission and storage of your personal data).

All medaia employees are bound to confidentiality regarding information entrusted to them or disclosed to them in the course of their work.

7. WEBSITE

The website is operated by medaia GmbH as the data controller. In this notice, we inform you about the personal data we process in the context of this website. The website can generally be used without providing personal data.

7.1. Visiting our website

Legitimate interest pursuant to Art. 6 (1) (f) GDPR:

medaia GmbH processes the data within the scope of its predominantly legitimate interest pursuant to Art. 6 (1) (f) GDPR in order to achieve the stated purposes, in particular the provision of the website.

Purposes of processing:

The processing of your data serves to provide, ensure system security and improve the website and thus the public image of medaia GmbH.

Data categories:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the data accessed
  • Amount of data transferred
  • Notification of whether the access was successful
  • Identification data of the browser and operating system used
  • Website from which access is made
  • Name of your internet access provider

7.2. Cookies

Our website uses so-called cookies. These are small text files that are stored on your device with the help of your browser. They do not cause any damage. We use cookies to make our website user-friendly. Some cookies remain stored on your device until you delete them. They enable us to recognise your browser the next time you visit. You can control the setting of cookies and their storage duration via your browser settings. If you deactivate cookies, the functionality of our website may be restricted. You can find a detailed list of the cookies used by our website and further information in our cookie banner.

7.2.1. Necessary cookies

Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

7.2.2. Preferences

Preference cookies allow a website to remember information that affects the way a website behaves or looks, such as your preferred language or the region you are in.

7.2.3. Statistics

Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

7.2.4. Statistics

Marketing cookies are used to track visitors to websites. The intention is to display advertisements that are relevant and appealing to the individual user and therefore more valuable to publishers and third-party advertisers.

7.3 Storage period

We generally store your personal data for a period of 3 months. Longer storage only takes place if this is necessary to investigate attacks on our website.