Privacy policy

The topic of data protection is an important basic value of SkinTech Corp. We make the topic as transparent as possible and communicate what the corresponding data is used for and how. The data of the users is handled responsibly. The data will only be used within the framework of the applicable data protection laws, in particular the EU Data Protection Regulation (EU-DSGVO).

In particular, efforts will be made to continuously improve the SQIN App and all related offers and services and to better tailor them to the needs of users. However, this can only succeed if it is observed and evaluated how these offers and services are used. In the following, the user will be comprehensively informed about what happens with his or her data - especially about what happens with it, how and why. All information that must be provided in accordance with the EU General Data Protection Regulation is also listed here. Responsible for the protection of personal data and compliance with the EU General Data Protection Regulation is SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin, Germany (hereinafter referred to as "SQIN" or the "Provider"). It operates the above-mentioned services. Further contact details, contact persons and mandatory information about SkinTech Corp. GmbH can be found in the imprint or on the website http://www.sqin.co and within the SQIN app.

If the user has any questions about data protection or should exercise his or her rights in matters of data protection (see below), he or she may contact the data protection officer of SkinTech Corp. GmbH. He can be reached at the e-mail address info@sqin.co or by mail to SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin.

This privacy policy applies to all online offers and services that can be accessed under the brand "SQIN". The smartphone app SQIN for iOS and Android the website for the app SQIN under the domain www.sqin.co as well as other domains that refer to it.

The above offers and services are hereinafter referred to simply as "Services".

Table of contents:

The most important facts summarised at a glance

I. What data is collected when using the SQIN service?

II. Why are these data processed?

III. Do data also go to third parties or to other EU countries?

► The rights of the user as a data subject

► The individual data processing operations in detail

A. Data processing for the provision of the SQIN App Services

- Register user account and manage profile (with email address)

- Contact form and support requests (via e-mail service provider)

- HealthKit and Google Fit connection

- (further) cookie-based functionalities

B. Improving the SQIN service

- Storage and processing of usage data (via GF)

- Evaluate user behaviour on websites and app (via Google Analytics)

- Evaluation of usage behaviour within the mobile application via Google Analytics for Firebase)

- Evaluation of user behaviour of SQIN services (via smartlook)

C. Optimising our communication and marketing channels

- Marketing campaigns with Custom Audiences (via Facebook Pixel or Custom App Events via Facebook SDK)

- Marketing optimisation and evaluation of user behaviour in the SQIN App(via Adjust)

► Amendment of the privacy policy

You have the right

► Contact person for data protection and data protection officer

► The most important facts summarised at a glance

I. What data is collected when using SQIN services?

Direct input of clear data. When the user logs in to the SQIN mobile application, registers, buys premium content or uses a contact form for support enquiries, the provider requests personal data from the user via the corresponding forms, which identifiably and directly belong to the user or the user's identity (so-called clear data).

This clear data includes in particular name, title, email address and password. In the case of paid services, the provider may also ask for further contact details (postal address, telephone number) and, if applicable, shopping basket details and payment data. In addition, the user can also voluntarily provide further personal information about himself, which is then also stored, for example in his user profile.

There are no services or offers specifically tailored to children.

Data Enrichment. The provider sometimes enriches users' data through its own observations, but only with regard to presumed interests and only to the extent described in this privacy notice. Example: If a user has started a unit, it suspects an interest on their part to continue it and enriches the data set with this to remind the user in the app.

Provision of data by third parties. In some cases, personal data is also provided to the provider by third parties when using individual functions or services. This is the case, for example, if the user uses a sign-in service, such as from Facebook, to register for the SQIN service.

Pseudonymised data. In addition, data is also processed that has no directly recognisable reference to the user as a person (so-called pseudonymised data). Pseudonymised means that the user or his computer or browser could be recognised under an ID ("pseudonym"), but it is not possible to find out by normal means who exactly the user is or how to contact him. In other words, pseudonyms are not combined with clear data such as name or email address, simply because in this case we do not need to know more than necessary.

This applies, for example, if the provider wants to find out which screens in the SQIN app are clicked on particularly frequently and which are not clicked at all, or if the provider does not always want to show the user the same content in the app.

Further details. If the user needs more detailed information, the chapter "The individual data processing steps in detail" contains more detailed information.

II. Why are these data processed?

Personal data are processed mainly for the following purposes or on the basis of the following legitimate interests:

for personalisation: to be able to show the user his or her progress, to suggest content on the SQIN app that best suits the user's needs, or to alert the user via email or push notifications to content, notices and offers that are of interest to him or her;

for optimisation: to find out what particularly excites or disturbs the users and how the services can be improved; to achieve the specifically named goals,

to ensure operation: to recognise and ward off attack patterns and detect errors in the system in order to prevent the user from receiving e-mails from the provider against his or her will;

for financing: to process users' orders of premium content, or to send personalised discounts, vouchers and offers to the user;

to maintain the customer relationship and direct marketing on our own behalf: to inform the user about new offers and functions;

for fraud prevention, for verification of a given delivery address and for credit assessment, the outcome of which the provider may make dependent on which payment options are offered to the user;

for the fulfilment of legal requirements, in particular commercial and tax obligations, if necessary also obligations to provide information to authorities as well as for the defence or enforcement of claims;

The personal data is processed lawfully on the basis of the EU General Data Protection Regulation, namely - depending on the case - on the basis of the user's consent, a conclusion of a contract with the user, for the fulfilment of legal or official requirements and/or after weighing legitimate interests in the individual case (see DSGVO Article 6 (1) (a), (b), (c) and (f)).

If the provider processes data on the basis of consent or on the basis of a consideration of legitimate interests, it will only do so as long as the user does not object or revoke consent. More details are explained below in the details.

III. Do data also go to third parties or to other EU countries?

SQIN refrains from the commercial transfer of personal user data (sale, rental) to third parties and does not engage in address trading.

However, the provider does not do everything himself, but has engaged some service providers. Some service providers will have to have access to personal data or at least may have access. This concerns in particular the technology with which the provider operates, monitors and analyses its service or individual functionalities and offers. In addition, this concerns, among other things, the billing of orders and the collection of due invoices.

The provider commissions all these service providers in writing strictly in accordance with the requirements of the EU General Data Protection Regulation and also has, for example, technical and organisational measures explained with which the service providers protect the personal data entrusted to them from misuse. For this purpose, contracts for commissioned processing are concluded with the client, if necessary.

Some of the IT service providers commissioned by the provider are not based within the EU or the European Economic Area (EEA) or store and process personal data there. Unless, in the opinion of the EU Commission, the same level of data protection as in Germany exists in these areas anyway, the provider always insists on the guarantees required under data protection law for such a foreign transfer. As a rule, this is the conclusion of data protection contracts stipulated by the EU Commission (so-called EU standard contractual clauses).

In some cases, the provider also passes on data to third parties, who then process the data on their own responsibility, while complying with data protection requirements. This includes, for example, the services of providers such as Facebook, for example when the user registers with the provider via the Facebook sign-in. More details on this will be explained in the next chapter.

► App permissions 

Access to your camera is necessary to create the medical history images and is only used for this purpose by the "SQIN" app.

If you want to upload pictures from your picture gallery, the app "SQIN" needs access to your memory for this.

In addition, consenting to receive push notifications about status changes of your treatment is optional for you. If you do not consent to receive push notifications, you will not receive push notifications about status changes of your treatment.

If you use our application via the iOS operating system, i.e. the operating system of Apple for mobile devices, we ask for authorization to track your activities as part of the user behavior analysis (see "Processing in connection with Apple Search Ads"). This enables us to target you with advertising and to evaluate your actions triggered by the advertising.

► The rights of the user as a data subject

In accordance with the EU General Data Protection Regulation, the user has the right to request information about his or her personal data (see Article 15 of the GDPR), as well as a correction (see Article 16 of the GDPR), deletion (see Article 17 of the GDPR) or at least the restriction of processing (see Article 18 of the GDPR) of his or her personal data.

The user also has the right to data portability (see Article 20 GDPR). In addition, the user naturally has the right to revoke consent given for the processing of personal data at any time (Article 7 of the GDPR) and to object to processing based on the consideration of legitimate interests (see Article 21(4) of the GDPR). In addition, the user has the right to lodge a complaint with the competent data protection supervisory authority.

If the User has any questions about this or any other data protection issue to the Provider or would like to exercise his or her rights in matters of data protection, the User is welcome to contact our data protection officer. The user can reach him at the e-mail address info@sqin.co or by mail to SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin.

► The individual data processing operations in detail

In order to provide the user with an easier overview, this privacy policy has been structured according to how it relates to (A) the basic provision of SQIN's services and functionalities, (B) the optimisation of our services or (C ) the optimisation of our marketing activities.

Data processing for the provision of SQIN Services

In the following, details on individual areas, services and functionalities for the provision of the mobile application of SQIN Services are explained in more detail.

Register user account and manage profile (with email address)

When registering in the SQIN app, you have to enter your name, gender, interests and goal, among other things. When registering, it is also necessary to enter an e-mail address. This creates a user account. In case of registration, the user will receive a confirmation email to complete his registration. In the case of direct registration, the user is sent a one-time verification link to the e-mail address provided. This is to ensure that the provider uses the correct email address in the subsequent email communication and that the provider can correctly assign the user to his user account via the email address. After successful login, an authorisation token is stored in the app. The token is deleted from the smartphone when the user logs out of their user account via the logout function. Through this authorisation technique, the provider prevents his access data from being stored locally on the smartphone. In addition, the app only collects inventory data that the user himself provides in the course of logging in and registering or otherwise contacting the app. This data is used on the basis of the user's consent (see DSGVO Art. 6 para. 1 letter a)).

The provider creates a user profile from this personal data in order to be able to offer the basic functionalities of the app services on different platforms (iOS, WebApp, Android) on the basis of this profile. The processing of this data is thus carried out for the fulfilment of its obligations in terms of the user contract in accordance with DSGVO Art. 6 para. 1 lit. b). In addition, the provider also uses individual data of the user accounts of the users for other purposes, such as in connection with newsletters or push messages, orders and support requests. Further details on this can be found below in the more detailed information on the corresponding data processing.

However, the provider has used an IT service provider to store this data, namely Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland hereinafter "GF",terms.

SQIN has concluded a contract with GF for the processing of data on its behalf. GF stores and processes personal data strictly in accordance with the instructions of the provider. However, this may also take place outside the territory of the EU or the EEA, in particular in the USA. Insofar as the processing takes place in the USA, the processing takes place on the basis of the EU standard contractual clauses.

Revocation / opt-out option: The user has the option to delete his profile and all personal data stored therein at any time by sending his revocation to info@@sqin.co. The Provider will then forward this revocation to GF, which has undertaken to delete the relevant data. Furthermore, the Provider will also delete the User's user account if the User does not actively use any of the SQIN Services for a period of three years. If and to the extent that the data associated with his user account can and must still be used for purposes that have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is particularly the case in the case of legally mandatory retention obligations such as corresponding commercial and tax regulations. The latter can be up to 10 years (see Section 147 (3) of the German Fiscal Code).

Data processing during app installation  

Purposes

When you install our app or later access the app, data for an API call log is processed during installation and each time you access it. This processing is done for the following purposes:

• Enabling the use of the app,
• System Security,
• Technical administration of the network infrastructure,
• Evaluation of system safety and system stability,
• Ensure smooth connection establishment.

We do not match the processed data with other data files and in no case use the data to draw conclusions about your person.

Data types

During installation and at each access data collected subsequent data stored until their automated deletion after 30 days:

• Date and time of installation,
• Date and time of access,
• Name and URL of the retrieved file or page,
• Amount of data transferred,
• Access of the status (successful transfer of the file, file not found etc.),
• browsers and operating systems of the user's terminal device,
• Name of the provider of the user's Internet access.

Legal basis

The legal basis for this processing is the fulfillment of the usage contract entered into with you pursuant to Art. 6 para. 1 UAbs. 1 lit. b DS-GVO.

Necessity

The provision of our app is necessary for the execution of your usage agreement for our app with us. If you do not install and access our app, you will not be able to use it.

Storage duration

The data processed during installation or each time the app is accessed is automatically deleted after 30 days.

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

Your right to object

You have the right to object to the above-described processing of data relating to you in accordance with Art. 21 DS-GVO, if there are grounds arising from your particular situation or your objection is directed against direct marketing.

Data processing at adjust 

Purposes

We use adjust to analyze your interactions with our app in order to further develop our app and make it even more user-friendly.

We also use adjust for attribution to improve our mobile advertising campaigns. Attribution is an analysis of where you as a user last interacted with an advertisement, article or social media post of SkinTech Corp. For this purpose, we analyze whether you viewed an advertisement, article or social media post of SkinTech Corp. GmbH, clicked on a link contained therein or left a comment under the advertisement, article or post.

Data types

Upon your consent to the analysis of your usage behavior ("marketing analysis") of our app by adjust, the following data about you will be processed:

• Your access time to our app,
• Whether they are a returning user of our app,
• Your access location when using our app,
• Your demographics,
• the language, device model, and platform (e.g., iOS or Android) of your endpoint device,
• Your IDFA (Identifier for Advertising on iOS devices) or Android Advertising ID,
• Your IP address and
• Your MAC address.

Demographic data includes information about the website, ad, or social media page from which you were directed to our app. This information is used to estimate your age group affiliation as well as the location from which you accessed our app.

If you consent to the analysis of your usage behavior of our app, the following data will be transmitted to Google Analytics for further user and advertising analysis:

• Your access time to our app,
• Your access location when using our app,
• to what extent you are actively using our app at the moment,
• Whether they are a returning user of our app,
• the language, device model, and platform (e.g., iOS or Android) of your endpoint device.

The data related to you will be anonymized before processing for the above purposes, so that you can no longer be identified by means of the above data.

You can reset or disable IDFA and Android Advertising ID at any time from your operating system.

Legal basis

The legal basis for the use of adjust is your express consent pursuant to Art. 6 para. 1 UAbs. 1 lit. a DS-GVO.

Storage duration

The above data will be deleted after 14 months.

Receiver

At no time will your health information be transferred to the recipients listed below.

The data relating to your use of our app that we process via the adjust program is processed by adjust GmbH, Saarbrücker Str. 38 a, 10405 Berlin.

The data we collect about you via adjust regarding your use of our app is transmitted to Google Analytics. The data transmitted to Google Analytics is processed on servers of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, and Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, and transmitted to the USA. Google is our processor for this processing and we have concluded an order processing agreement pursuant to Art. 28 DS-GVO with Google for this purpose. The legal basis for the third country transfer are standard data protection clauses pursuant to Art. 46 DS-GVO. Google provides appropriate guarantees for data protection, which you can view at https://privacy.google.com/businesses/processorterms/.

More information on how Google handles user data in connection with Google Analytics can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Your right to withdraw your consent

You have the right to revoke your consent at any time. The revocation of your consent to processing activities for the purpose of user behavior analysis using Google Analytics is possible within our app via the menu in the "Marketing Analysis" area by deactivating the "Marketing Analysis" function under Menu > Edit Account > Marketing Analysis. The lawfulness of the processing carried out on the basis of your consent until revocation is not affected by this

Data processing for user account 

Purposes

For the purposes of creating and managing a user account, we process the data about you mentioned below.

Data types

When you create your user account, we process the data you provide in the process in order to create and manage the account and to enable you to use the teledermatological advice we offer.

When you log in to the app, a session identifier is stored in the local memory of your terminal device that uniquely and immutably identifies you for all subsequent requests.

Legal basis

The legal basis for the related processing operations is your usage contract for our app with us pursuant to Art. 6 (1) UAbs. 1 lit. b DS-GVO.

Necessity

The creation of a user account for the teledermatological consultation via the "SQIN" app is a technical and organizational measure for the security of the processing of data relating to you in accordance with the requirements of data protection and to ensure the protection of your data subject rights. If you do not create a user account, you will not be able to use the teledermatological consultation via the "SQIN" app.

Storage duration

We store the session ID of your user account of our app until a logout, an uninstallation of the app or a failed verification. The session identifier has a maximum validity of one year, after which you will automatically receive a new identifier.

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

Data processing during teledermatological consultation

Purposes

The purpose of processing the data related to you is the conclusion and execution of a treatment contract between you and the dermatologist as well as processing for billing purposes.

Data types

In order to process your request, it is necessary to provide the dermatologist treating you with the following information about you:

• Name,
• First name,
• Date of birth,
• Gender,
• Address,
• Email,
• Light images of the skin lesion,
• Answering the given questionnaire (incl. photographs of your doctor's letters, photographs of your medication lists, photographs of your allergy passport),
• Answers to queries raised by the dermatologist.

If the respective dermatologist requires further personal data from you for the treatment contract, the dermatologist will collect this data directly from you.

To ensure the quality of our diagnoses, the treating dermatologists consult our interdisciplinary expert panel when an expert opinion is required for a diagnosis.

Legal basis

In relation to SkinTech Corp. GmbH as the responsible party for the app "SQIN", the legal basis for the processing of the data relating to you is your usage contract for our app with us pursuant to Art. 6 para. 1 UAbs. 1 lit. b i. In conjunction with your consent to our processing of health data about you pursuant to Art. 9 (2) lit. a DS-GVO.

The legal basis for the processing of data related to you vis-à-vis SkinTech Corp. GmbH responsible for the app "SQIN" is your treatment contract with the dermatologists within the SQIN app pursuant to Art. Art. 9 para. 4 DS-GVO in conjunction with § 22 para. 1 UAbs. 1 lit. b BDSG in conjunction with Art. 9 para. 2 lit. h Var. 3 and Var. 6 DS-GVO in conjunction with Art. 9 para. 3 DS-GVO in conjunction with §§ 630a ff. BGB.

Necessity

The processing of the above data is necessary for the teledermatological consultation. If you do not provide us with the information requested by you, we will not be able to process your request.

In order to create the images of your skin lesions, the "SQIN" app needs to access the camera of your terminal device.

If you want to upload pictures of your skin changes from your picture gallery, the app "SQIN" needs access to your memory for this.

Storage duration

Your patient file will be stored for ten years after completion of treatment in accordance with the statutory retention periods pursuant to Section 630f (3) of the German Civil Code (BGB).

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

The assessing dermatologist receives the medical information relevant to him in order to make the diagnosis. If the treating dermatologists consider a second professional assessment of your treatment case necessary, the interdisciplinary expert panel of the SQIN App (specialists in otolaryngology, gynecology, urology, ophthalmology, rheumatology, etc.) is consulted.

If medical aftercare is required or desired, this is carried out by medical professionals on behalf of the dermatologists. In this case, the medically trained specialist contacts the patient via the app or by phone.

Contact form and support requests (via e-mail service provider)

Insofar as the user contacts the SQIN App, the email service provider of the provider google, represented by Google, Google Ireland Limited, Gordon House, Barrow Street Dublin 4 Ireland, processes the contact data as well as the content of his request.

Enquiries via email and contact form may concern communication and contract data as well as user history. In addition, enquiries about the provider's apps are received by the provider via email using the contact form of the app store. The data provided is treated confidentially. The data provided and the message history with the provider's customer service are stored for follow-up questions and subsequent contact.

Insofar as the user contacts the provider by e-mail or via a form, the provider uses the personal data transmitted by the user on the basis of legitimate interests exclusively to answer the user's enquiry.

SQIN has concluded a contract with Google Ireland for the processing of data on its behalf. Google Ireland stores and processes personal data strictly in accordance with the instructions of the provider. However, this may also take place outside the territory of the EU or the EEA, in particular in the USA. Insofar as processing takes place in the USA, the processing is carried out on the basis of the EU standard contractual clauses. Requests to delete the user profile and to unsubscribe from the newsletter via our contact channels are stored by the provider in its in-house systems in order to be able to track and prove that the user's request was successfully processed (obligation to provide proof). The user's data (email address, name and user name) will be deleted from the provider's system after one year and one month at the latest. In the case of deletion requests for the newsletter, a connection to the user's user account can be established using the in-house system, provided that it is the user's registration address. In the case of requests to delete a user account, no connection can be made to the user's account. The data are stored in the system protected from unauthorised access and are not passed on to third parties.

Revocation / opt-out option: A deletion of the user's customer enquiries takes place after 5 years or upon direct revocation to info@sqin.co.

If and insofar as the data associated with the user's e-mail enquiries can and must still be used for purposes that have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is particularly the case in the case of legally mandatory retention obligations such as corresponding commercial and tax law regulations. The latter can be up to 10 years (see Section 147 (3) of the German Fiscal Code).

Data processing in AI-supported processes 

Purposes

Provided that you have consented to the processing operations in connection with the research of an AI-assisted teledermatological diagnosis when registering your user account or in the settings of your user account, we use the photos uploaded by you and the medical history forms completed by you to research an artificial intelligence that can support the teledermatological diagnosis. This will allow skin diseases to be detected even more quickly and effectively, and help future patients more quickly and effectively. We thank you for your support and trust if you consent to this processing. Your data will not be disclosed to third parties, but will be processed under strict secrecy and the highest security requirements by an experienced IT laboratory commissioned by us for research. The processing of your data takes place exclusively in Germany.

Data types

For the research of an AI-assisted teledermatological diagnosis, we process the photographs uploaded by you and the medical history forms filled out by you.

Legal basis

The legal basis for this processing is your consent pursuant to Art. 9 (2) UAbs. 1 lit. a DS-GVO.

Storage duration

We will use the above data that can be related to you for the purpose of researching an AI-assisted teledermatological diagnosis until you revoke your consent.

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

The research of an AI-assisted teledermatological diagnosis takes place exclusively in Germany under strict secrecy and under the highest security conditions in an IT laboratory specialized in the research of AIs.

Your right to withdraw your consent

You have the right to revoke your consent to the processing of the above-mentioned data for the purpose of researching an AI-assisted teledermatological diagnosis. You can do this by logging into our app and deactivating the same in the account settings under the item "Product development". The lawfulness of the processing carried out on the basis of your consent until revocation is not affected by this.

Data processing for payment transactions 

Payment transactions related to the invoice issued to you due to the use of the Service are handled by the joint managers of the "SQIN" app.

You can use the following options to pay for the remuneration caused by the teledermatology consultation: PayPal, Stripe (credit card payment and Apple Pay).

Purposes

The processing serves the purpose of handling payment transactions related to the invoice issued to you by the dermatologist.

Data types

Within the framework of payment processing, data of the following types are processed:

• Case ID,
• Transaction ID,
• Date,
• Amount,
• Payment gateway (credit card via Stripe or PayPal),
• and for PayPal additionally the used PayPal address as well as the PayPal name.

Legal basis

The prerequisite for payment processing via SkinTech Corp. GmbH is that you, as the patient, consent to the dermatologists' billing and the associated processing. You thereby declare your consent to the forwarding of the information required in each case for the purpose of billing for the medical services provided, as listed in the data types, as well as the assignment of the claim to SkinTech Corp. GmbH for the purpose of collection.

The legal basis for this processing is your consent pursuant to Art. 9 (2) lit. a DS-GVO.

Storage duration

Invoices and receipts created in connection with the processing of the contract and your payment are stored for ten years in accordance with our legal obligations arising from Section 147 (3) Sentence 1 AO. The legal basis for this processing is our legal obligation Art. 6 para. 1 UAbs. 1 lit. c DS-GVO in conjunction with § 147 para. 3 sentence 1 AO.

Receiver

For the credit card and PayPal payment methods, the personal data you enter is transmitted in encrypted form to the Braintree payment service, a product of PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal. This includes your name, address, telephone number, IP address, e-mail address or other information necessary for order processing, including information about your order.

The processing of personal data is carried out by PayPal as the responsible party. To the extent necessary for the fulfillment of the order, data may also be disclosed to third parties by PayPal. For more information about the processing by PayPal, please visit https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.

Information on processing when using the Apple Pay payment service can be found at https://support.apple.com/de-de/HT201469.

Your right to withdraw your consent

You have the right to revoke your consent at any time by sending an e-mail to info@sqin.co. The lawfulness of the processing carried out on the basis of your consent up to the revocation will not be affected by this. Please note that the revocation of your consent to the payment process will result in no dermatological treatment taking place.

Data processing for prescription dispatch

Purposes

For finding and selecting pharmacies to which prescriptions are to be sent on your behalf by those jointly responsible for the "SQIN" app, we use the Google Maps API.

Data types

Within the scope of the prescription dispatch, data of the following data types are processed:

• the data you entered in the search field during the search query,
• Target Pharmacy,
• Postal address of the destination pharmacy,
• Fax number of the destination pharmacy.

The patient's address is sent to the Google Maps API. Our servers receive the geo-data of the address, which is matched with the internal pharmacy database of SkinTech Corp. GmbH, so that the five closest pharmacies (as the crow flies) are displayed to the patient in the app. The Google Maps API is called from our backend, the IP address of the user is not transmitted, only our server IP. The only data that is sent to Google is the address that the patient has given us.

Legal basis

The legal basis for the processing of your search query is our legitimate interest in providing you with an easy way to send prescriptions to an established pharmacy, if you make use of this option, pursuant to Art. 6 (1) UAbs. 1 lit. f DS-GVO.

Storage duration

We only store the address of the pharmacy to which we are to send the prescription for you. The address of the pharmacy will be stored together with your prescription in your patient file in accordance with §§ 630f para. 3 BGB for ten years.

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

The data you enter in the search field during the search query is transmitted to Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, and to Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, and processed in the USA. Google is our processor for this processing and we have concluded an order processing agreement pursuant to Art. 28 DS-GVO with Google for this purpose. The legal basis for the third country transfer are standard data protection clauses pursuant to Art. 46 DS-GVO. Google provides appropriate guarantees for data protection, which you can view at https://privacy.google.com/businesses/processorterms/.

Your prescription will be sent to the pharmacy you selected.

Data processing for medication delivery 

Purposes

For direct purchase and delivery of your medication to your home, you can submit your prescription to the pharmacy by selecting the "Shipping by Pharmacy" prescription option within the SQIN app.

Data types

Within the scope of the prescription dispatch, data of the following data types are processed:

• Your patient master data (your first and last name, address, date of birth and telephone number),
• Prescription data with dosage, package size and recommended intake of prescribed medications,
• Contact information of the prescribing physician.

Legal basis

The legal basis for the processing of your health data is your consent to the transfer of your health data to the pharmacy pursuant to Art. 9 (2) lit. a DS-GVO.

Storage duration

The notice of transmission to the pharmacy will be kept together with your prescription in your patient file in accordance with Section 630f (3) of the German Civil Code (BGB) for ten years.

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

The prescription created by us is sent to the pharmacy. The pharmacy is the independent controller for this processing. 

Data processing for push notification 

Purposes

If you opt-in to receive push notifications through our app when you first launch our app or later in the app settings, we will send you push notifications to notify you of status changes to your treatment.

Data types

Push notifications include text messages about special events: completion of a report on a request you submitted, the ability to pick up a prescription, reminders about outstanding payments, requests for new images, and other callbacks from the dermatologist treating you.

When the app is launched for the first time, your mobile device registers with the corresponding push service of the platform (Android: Google Cloud Messaging; iOS: Apple Push Notification). In the process, a so-called "registration token" is created, which uniquely identifies the app installation on your device. The token is used to recognize the message destination. In the case of a push notification, our server sends the desired notification to the push service of your platform, which forwards the notification to your device.

Legal basis

The legal basis for this processing is your consent pursuant to Art. 6 (1) UAbs. 1 lit. a DS-GVO.

Storage duration

The registration information within the scope of the initial launch is stored with the respective platform until the app is uninstalled.

Receiver

Push messages for iOS devices are transmitted to the Apple Push Notification Service platform, a service provided by Apple Inc, 1 Apple Park Way, Cupertino, California, USA.

Push notifications for Android devices are transmitted via the Google Cloud Messaging platform, a service provided by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

Your right to withdraw your consent

You can revoke your consent to receive push notifications at any time via your app settings.

You can revoke your consent to receive push notifications at any time via the operating system of your end device as follows:

• Apple devices: Settings > SQIN > Messages;
• Android devices: Settings > Applications or apps > SQIN > Remove the checkmark from "Notifications".

Data processing in connection with aftercare

Purposes

We operate a patient follow-up support service that seeks feedback from you on your treatment and symptom development. Based on your feedback, we can record the success of the therapy and, if necessary, make or recommend adjustments to your therapy. In addition to ensuring the quality of follow-up care, this serves in particular to optimize the treatment plan in order to ensure a positive course of treatment.

Follow-up is only possible if you provide us with your phone number.

Data types

Data of the following types are processed in the course of follow-up care:

• Your patient data (name, address, date of birth, gender, photographs, medical history sheet, diagnosis and treatment recommendation),
• Date of request,
• Your phone number,
• Answering the given questionnaire (incl. photographs of your doctor's letters, photographs of your medication lists, photographs of your allergy passport),
• Answers to queries raised by the dermatologist.

Legal basis

In relation to SkinTech Corp. GmbH as the joint responsible party with the dermatologists for the app "SQIN", the legal basis for the processing of the data relating to you is your usage contract for our app with us pursuant to Art. 6 para. 1 UAbs. 1 lit. b i. In conjunction with your consent to our processing of health data about you pursuant to Art. 9 para. 2 lit. a DS-GVO.

In relation to the dermatologists as the persons responsible for the app "SQIN" together with SkinTech Corp. GmbH, the legal basis for the processing of the data relating to you is your treatment contract with the dermatologists pursuant to Art. 9 para. Art. 9 para. 4 DS-GVO in conjunction with § 22 para. 1 UAbs. 1 lit. b BDSG in conjunction with Art. 9 para. 2 lit. h Var. 3 and Var. 6 DS-GVO in conjunction with Art. 9 para. 3 DS-GVO in conjunction with §§ 630a ff. BGB.

Necessity

Follow-up care is necessary within the framework of dermatological treatment, especially for the quality assurance of the doctors' diagnoses and therapy suggestions. It is a complementary offer to ensure the quality of treatment. The aftercare is an optional offer and not obligatory. You will not suffer any disadvantage in the course of treatment if you do not take advantage of this offer.

Storage duration

Your patient file will be stored for ten years after completion of treatment in accordance with the statutory retention periods pursuant to Section 630f (3) of the German Civil Code (BGB).

Receiver

The data processed in the follow-up are performed by medical professionals on behalf of dermatologists.

We use a server located in Germany to store your double-encrypted patient file.

Data processing for newsletters

Purposes

Our newsletters are designed to provide you with recommendations and information in the field of dermatology, as well as topics related to everyday life, in addition to news from SQIN.

Data types

To receive the newsletter, it is sufficient to provide an e-mail address. We process the time of your registration for the newsletter as well as your IP address entered by the Internet service provider (ISP), which we convert into an anonymized user ID. This is used to determine if someone has misused your e-mail address to register for the newsletter.

Legal basis

The legal basis for this processing is your consent pursuant to Art. 6 (1) UAbs. 1 lit. a DS-GVO.

Storage duration

We will use your email address to send you our newsletter until you withdraw your consent.

In order to fulfill our accountability in data protection, which we are subject to according to Art. 5 (2) DS-GVO, we keep a deletion log of the unsubscription of your email address for up to three years. The legal basis for this is the fulfillment of our legal obligation pursuant to Art. 6 para. 1 UAbs. 1 lit. c DS-GVO.

Receiver

We use a German order processor with a German server location for the provision of our e-mail server.

We use a server located in Germany to provide the database for our app.

As part of our newsletter distribution, we evaluate your user behavior. This evaluation is used for the needs-based design and ongoing optimization of our newsletter.

Data types

The following types of data are processed:

• Email read and click behavior (open rate and click rate within the newsletter),
• the type of device used (desktop, tablet, cell phone),
• Whether you are a user or patient of our app,
• the time and date of your access to certain newsletter emails,
• Number of cases submitted in the app,
• the redirect URL (that is, which websites linked in the newsletter you open via the newsletter).

Legal basis

The legal basis is based on our legitimate interest pursuant to Art. 6 (1) UAbs. 1 lit. f DS-GVO to provide a promotional and user-friendly newsletter for you.

Storage duration

We store the above data until you revoke your consent, i.e. unsubscribe from our newsletter.

In order to fulfill our accountability in data protection, which we are subject to according to Art. 5 (2) DS-GVO, we keep a deletion log of the unsubscription of your email address for up to three years. The legal basis for this is the fulfillment of our legal obligation pursuant to Art. 6 para. 1 UAbs. 1 lit. c DS-GVO.

Receiver

We use a German order processor with a German server location for the provision of our e-mail server.

We use a server located in Germany to provide the database for our app.

Your right to object

You have the right to object to the above-described processing of data relating to you in accordance with Art. 21 DS-GVO, if there are grounds arising from your particular situation or your objection is directed against direct marketing.

Data processing for evaluation requests

Purposes

In order to ask our existing customers for evaluations, you will receive a one-time evaluation request from us after each treatment. This serves to improve our services based on your evaluation.

Data types

We process your e-mail address, which you provided when registering in the app "SQIN", for sending the evaluation request.

Legal basis

The legal basis is based on our legitimate interest pursuant to Art. 6 (1) UAbs. 1 lit. f DS-GVO to improve our service based on your rating, i.e. to conduct personalized direct advertising.

Storage duration

We will use your email address to send you our evaluation requests until you opt-out of our use of your email address to send you direct mail.

In the event of deletion of your user account, we will delete your email address and you will no longer be sent direct mail.

Receiver

We use a server located in Germany to provide the database for our app and to store your double-encrypted patient record.

Data processing for shipping

Purposes

In order to keep our existing customers informed about our offers or services, to provide them with valuable content and to ask them for evaluations, you will regularly receive an information letter from us. In this context, we evaluate your user behavior. This evaluation is used for the needs-based design and continuous optimization of our information letters and our services.

Data types

The following types of data are processed:

• Email read and click behavior (open rate and click rate within these information letters to existing customers),
• the type of device used (desktop, tablet, cell phone),
• Whether you are a user or patient of our app,
• the time and date of access to the newsletter emails,
• the redirect URL (that is, which web pages linked in the information you open).

Legal basis

The legal basis is based on our legitimate interest pursuant to Art. 6 (1) UAbs. 1 lit. f DS-GVO to conduct personalized direct advertising.

Storage duration

We will remove your email address from our direct mail distribution list until you opt-out of our use of your email address to send you direct mail.

In order to fulfill our accountability in data protection, which we are subject to according to Art. 5 (2) DS-GVO, we keep a deletion log of the unsubscription of your email address for up to three years. The legal basis for this is the fulfillment of our legal obligation pursuant to Art. 6 para. 1 UAbs. 1 lit. c DS-GVO.

Receiver

For the provision of our e-mail server, we use a German order processor with a German server location.

We use a server located in Germany to provide the database for our app.

Your right to object

You have the right to object to the above-described processing of data relating to you in accordance with Art. 21 DS-GVO, if there are grounds arising from your particular situation or your objection is directed against direct marketing.

Data processing when contacting us via contact form 

Purposes

You can contact us at any time via our contact form within the app if you have any questions about using our app when you are logged into your user account.

Data types

When you contact us, we process your user ID, your case ID and the content of your inquiry. Further information can be provided voluntarily.

Legal basis

In relation to SkinTech Corp. GmbH as the party jointly responsible with the dermatologists for the app "SQIN", the legal basis for the processing of the data relating to you is your usage contract for our app with us pursuant to Art. 6 para. 1 UAbs. 1 lit. b DS-GVO in conjunction with your consent to our processing of health data about you pursuant to Art. 9 para. 2 lit. a DS-GVO.

In relation to the dermatologist as the person responsible for the app "SQIN" together with SkinTech Corp. GmbH, the legal basis for the processing of the data related to you is your treatment contract with the dermatologist pursuant to Art. Art. 9 para. 4 DS-GVO in conjunction with § 22 para. 1 UAbs. 1 lit. b BDSG in conjunction with Art. 9 para. 2 lit. h Var. 3 and Var. 6 DS-GVO in conjunction with Art. 9 para. 3 DS-GVO in conjunction with §§ 630a ff. BGB.

Storage duration

If contact is made within the scope of the treatment contract, we will retain your information in your patient file for ten years in accordance with §§ 630a ff. of the German Civil Code (BGB). Otherwise, we delete the personal data processed for the use of the contact form after completion of the request you have made.

Necessity

The processing of your user ID and, if applicable, case ID is necessary for the processing of your request in order to assign your request to your patient file. If you submit your request via the contact form within the web app, this information is automatically transmitted to us.

Receiver

We use a server located in Germany to provide our app.

Contact us by phone or email 

Purposes

You can contact us via the e-mail addresses and telephone numbers provided on our website. Do not use this communication channel to send us health data.

Data types

In order to process your request, we use the e-mail address or telephone number provided to us by you. We only collect further information directly from you where it is necessary and relevant to answering your inquiry and is provided to us voluntarily by you.

Do not use this communication channel to provide us with health information.

Legal basis

The processing for the purpose of contacting us is carried out for the fulfillment of a contract by you with us or for the implementation of pre-contractual measures with you by us pursuant to Art. 6 para. 1 lit. b DS-GVO.

Necessity

The processing of your e-mail address or telephone number is necessary for the processing of your request in order to contact you again in this context. If you do not provide us with any of these data, we will not be able to process your request.

Storage duration

If contact is made within the scope of the treatment contract, we will retain your information in your patient file for ten years in accordance with §§ 630a ff. of the German Civil Code (BGB). Otherwise, the data you provide will be deleted by us after the request you made has been dealt with.

Receiver

We use a German order processor with a German server location for the provision of our e-mail server.

Data processing in conjunction with meta

Purposes

We use Facebook Pixel for the purpose of advertising and optimizing our advertising campaigns. We use this tool to serve ads on Facebook and Instagram to people who have visited our website or shown interest in certain topics. By analyzing your user behavior, we evaluate the effectiveness of our Facebook or Instagram campaigns and adapt them to the interests of our users.

Through our use of Facebook Pixel, Facebook is informed when you have clicked on one of our ads on Facebook or accessed the corresponding web page of our website.

Facebook provides us with the collected data anonymously so that we cannot identify you personally or draw conclusions about your identity.

Data types

Upon your consent to the processing activity of marketing analytics within our app, the following data about you will be collected:

• Your access time and access location to our app,
• to what extent you are currently active in our app,
• Whether they are a returning user of our app,
• Your demographic data (gender, age group, interests),
• The language, device model, and the device you are using (e.g. iOS or Android).

If you maintain a user account with Facebook or Instagram, this information will be assigned to your Facebook or Instagram user account.

If you do not maintain a user account with Facebook, Facebook stores your IP address and other identifiers.

Legal basis

The legal basis for this processing is your explicit consent pursuant to Art. 6 (1) UAbs. 1 lit. a DS-GVO. You give your consent to this processing via our cookie banner when you select the category "marketing analysis" and consent.

Storage duration

The storage period is limited to 24 months.

Receiver

Facebook Pixel is a product of Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland ("Facebook"). Facebook is our processor for this processing and we have entered into a processing agreement pursuant to Art. 28 DS-GVO with Facebook for this purpose. The legal basis for this transfer are standard data protection clauses pursuant to Art. 46 DS-GVO. You can find out about the appropriate or adequate safeguards that Facebook Pixel gives us for third country transfers here https://web.facebook.com/legal/terms/data_security_terms and here https://web.facebook.com/legal/EU_data_transfer_addendum.

Your right to withdraw your consent

Revocation of your consent to processing activities for the purpose of user behavior analysis is possible within our webapp in the settings in the "Marketing Analysis" area by deactivating the "Marketing Analysis" function. This does not affect the lawfulness of the processing carried out on the basis of your consent until revocation.

Data processing together with TikTok

Purposes

We use TikTok Pixel, a service of TikTok Technology Ltd., to display our advertisements to you as a TikTok user when you show interest in our service. In doing so, TikTok Pixel allows us to determine the target audience for the display of advertisements. By analyzing your user behavior, we evaluate the effectiveness of our TikTok campaigns and adapt them to the interests of our users.

Data types

In the context of advertising on TikTok, the following types of data are processed:

• Your user behavior, if you have visited the TikTok network site or are a TikTok user, that is:
• the number of our ads viewed by you and your clicks on our ads,
• Events triggered by you in the app, i.e. your. Registration in the app, creating cases in our app, and paying for the diagnosis of cases created in our app,
• Information about your operating system and device ID,
• anonymized, cumulated data for the creation of so-called custom audiences if you have shown interest in our service

We process information about triggered events (registration in the app, creation of a case, purchase within the app) in our app only if you have consented to the processing operations for the purpose of "marketing analytics" within our app.

If you maintain a user account with TikTok and have consented within your TikTok account to processing for the purpose of personalized advertising, TikTok will transmit your location and gender to us if you have provided your location as part of your registration with TikTok.

Legal basis

If you consent to the processing for the purpose of "marketing analytics" within the app, the legal basis of this processing activity is your consent pursuant to Art. 6 (1) UAbs. 1 lit. a DS-GVO.

Storage duration

The personal data processed in the context of the advertisement will be deleted after 18 months.

Receiver

The above data relating to you will be processed on our behalf by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok"). The aforementioned data that can be related to you will be transferred to the USA. For this purpose, we have concluded an order processing agreement pursuant to Art. 28 (3) DS-GVO with TikTok Technology Limited within the scope of the Terms of Use, including standard data protection clauses pursuant to Art. 46 DS-GVO.

You can learn about the appropriate or adequate safeguards TikTok gives us for third country transfers here https://www.tiktok.com/legal/privacy-policy?lang=de and here https://ads.tiktok.com/i18n/official/policy/privacy.

Your right to withdraw your consent

You have the right to revoke your consent at any time. Revoking your consent to processing activities for the purpose of user behavior analysis is possible within our app via the menu in the "Marketing Analysis" area by deactivating the "Marketing Analysis" function under Menu > Edit Account > Marketing Analysis. This does not affect the lawfulness of the processing carried out on the basis of your consent until revocation.

Data processing in connection with social media plugins

Purposes

Social media plugins are extensions for external pages, i.e. the modules embedded on our websites allow you to click directly to the corresponding social network profile. We use social plugins of the platform Instagram (part of Facebook Ltd.) as well as TikTok on our website to make the content of our website more informative and interesting for you.

Data types

When you access a page that has an embedded video or social plugin and have consented to the processing in "Other Media" within the Consent banner, a connection is established to the servers of Facebook and TikTok. The following types of data about you will be processed:

• - the browser you are using,
• - the IP address of your terminal device
• - the page you visited on this website,
• - the contents presented for you,
• - the language, device model, and platform (e.g., iOS or Android) of your endpoint device.

Legal basis

The legal basis of this processing activity is your consent to the processing operations in "Other Media" pursuant to Art. 6 (1) UAbs. 1 lit. a DS-GVO.

Storage duration

The above data that can be related to you will be stored for 24 months.

Receiver

We use a web hoster with server location in Germany for the provision of our website.

Facebook Pixel is a product of Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland ("Facebook"). Facebook is our processor for this processing and we have entered into a processing agreement pursuant to Art. 28 DS-GVO with Facebook for this purpose. The legal basis for this transfer are standard data protection clauses pursuant to Art. 46 DS-GVO. You can find out about the appropriate or adequate safeguards that Facebook Pixel gives us for third country transfers here https://web.facebook.com/legal/terms/data_security_terms and here https://web.facebook.com/legal/EU_data_transfer_addendum.

The above data relating to you will be processed on our behalf by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok"). The aforementioned data that can be related to you will be transferred to the USA. For this purpose, we have concluded an order processing agreement pursuant to Art. 28 (3) DS-GVO with TikTok Technology Limited within the scope of the Terms of Use, including standard data protection clauses pursuant to Art. 46 DS-GVO.

You can learn about the appropriate or adequate safeguards TikTok gives us for third country transfers here https://www.tiktok.com/legal/privacy-policy?lang=de and here https://ads.tiktok.com/i18n/official/policy/privacy.

Your right of withdrawal

You have the right to revoke your consent at any time. The lawfulness of the processing carried out on the basis of your consent until revocation is not affected by this.

Data processing in connection with Pinterest

Purposes

We use the Pinterest tag, a service of Pinterest Europe Ltd., in order to use our Pinterest campaigns in a demand-oriented manner, to further optimize them and to measure their success If you have reached our website via a Pinterest ad, we can track your subsequent actions. By analyzing your user behavior, we evaluate the effectiveness of our Pinterest campaigns and adapt them to the interests of our users.

Data types

When you consent to the analysis of your usage behavior within our app, i.e. the "marketing analysis", the following data is also processed:

• Your last view of our ad (relevant for conversions),
• the number of our ads you view and your clicks on our ads (Frequency),
• Your access time and location when using our app,
• to what extent you are actively using our app at the moment,
• Whether they are a returning user of our app,
• Events triggered by you within the app, i.e. your registration in the app, creation of cases, as well as payment for the treatment of cases created by you in our app,
• the language, your device type, and the operating system (e.g. iOS or Android) used on your end device,
• demographic data (gender, age and interests).

We receive the above-mentioned data on the last visual contact of you and other users with our ads and the number of viewed and clicked ads per placement from Pinterest in the form of statistical evaluations. This means that we receive an indication of the number of users who clicked on our ad and were redirected to the App Store or Play Store.

Legal basis

The legal basis for this processing activity is your consent to processing for the purpose of marketing analysis pursuant to Art. 6 (1) UAbs. 1 lit. a DS-GVO, provided that you have given us this consent when registering your user account or via the user account management.

Storage duration

The personal data processed as part of the advertisement will be deleted after 180 days.

Receiver

The above-mentioned data relating to you will be processed on our behalf by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, ("Pinterest"). The data related to you will be transferred to the USA. For this purpose, we have concluded an order processing agreement pursuant to Art. 28 (3) DS-GVO including standard data protection clauses pursuant to Art. 46 DS-GVO with Pinterest.

You can learn about the appropriate or adequate safeguards Pinterest gives us for third country transfers at https://policy.pinterest.com/de/privacy-policy.

Your right to withdraw your consent

You have the right to revoke your consent at any time. Revoking your consent to processing activities for the purpose of user behavior analysis is possible within our app via the menu in the "Marketing Analysis" area by deactivating the "Marketing Analysis" function under Menu > Edit Account > Marketing Analysis. This does not affect the lawfulness of the processing carried out on the basis of your consent until revocation.

Data processing in connection with Youtube

Purpose

To optimize our web presence, we embed videos via YouTube on our website.

Data types

When you call up a page that has an embedded video, a connection is established to the YouTube servers. The following types of data about you are processed in the process:

• the browser you are using,
• the page you visited on this website,
• device-specific information including the IP address of your end device,
• the content displayed for you from YouTube.

We use the "enhanced privacy mode" option provided by YouTube. According to the information provided by YouTube, in "extended data protection mode" the above-mentioned data is only transmitted to the YouTube server in the USA when you watch the video.

Legal basis

The legal basis for this processing is our legitimate interest pursuant to Art. 6 (1) UAbs. 1 lit. f DS-GVO to supplement our offer with dermatological information for you.

Storage duration

For more information, see Google's privacy policy(https://policies.google.com/privacy?hl=de&gl=de).

Receiver

The above-mentioned data that can be related to you is processed by YouTube, LLC 901 Cherry Ave, 94066 San Bruno, CA, USA, a company of Google Inc, Amphitheatre Parkway, Mountain View, CA 94043, USA. We have concluded an order processing agreement with YouTube as our processor pursuant to Art. 28 (3) DS-GVO. The legal basis for the third country transfer are standard data protection clauses pursuant to Art. 46 DS-GVO. Google provides appropriate guarantees for data protection, which you can view at https://privacy.google.com/businesses/processorterms/.

If you have a user account with YouTube and are logged in there at the time of calling up the page, the data processed when calling up the page will be assigned to your user account if you have not logged out beforehand.

For more information on data protection at YouTube, please see Google's privacy policy(https://policies.google.com/privacy?hl=de&gl=de).


Processing in connection with Apple Search Ads purposes

We use Apple ads to promote our app within the App Store. This involves compiling data about people with similar interests into groups called "segments". These segments are used to help display personalized ads. Your personal information is used to determine to which segments the data related to you is assigned and consequently which advertisements are displayed to you.

Data types

The following types of data are processed within the framework of the advertisement:

• Number of ads viewed,
• Number of clicks on our advertisement,
• Number of times our app was installed, triggered by the ad,
• Search terms through which our ad was displayed
• In addition, the following personal data are processed:
• Your IP address and
• Information about your device ID,
• Your device type and
• the operating system used by your terminal device.

Legal basis

We process your data based on our legitimate interest pursuant to Art. 6 para. 1 UAbs. 1 lit. f DS-GVO to conduct effective marketing.

Storage duration

The personal data processed in the context of the advertisement will be deleted after 14 months.

Receiver

The above data relating to you will be processed by Apple Distribution International Ltd ("ADI"), whose address is Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. The data relating to you will be transferred to the United States. Apple provides appropriate privacy safeguards, which you can access at https://searchads.apple.com/de/privacy/.

Your right to object

If you don't want to receive personalized ads, you can turn off the personalized ads setting on your iPhone, iPad, iPod touch, or Mac.

For more information about disabling advertisements, please visit: https://support.apple.com/de-de/HT202074.

HealthKit and Google Fit connection

Apple HealthKit.

The Provider uses the HealthKit framework (for more information see here) from Apple (Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA; "Apple"), which provides a central storage location for health and fitness data on the iPhone and Apple Watch and - with the express consent of the User - lets apps communicate with the HealthKit Store to access and share this data. This connection must be actively activated by the user via their system parameters. The HealthKit connection can be deactivated by the user at any time via their system parameters. From this point on, no more data will be exported to the provider. The provider processes the following data obtained through the HealthKit framework and the Apple CoreMotion processor (more information can be found by the user here) for the purposes described below and with the express consent of the user: steps, calories, distance, duration and heart rate. New data attributes can be added to the HealthKit framework, which are mapped in the SQIN app and to which the user must agree.

Google Fit SDK

The Provider uses Google's Fit SDK (for more information click here) an open platform that allows Users to control their fitness data. The Provider processes the following data received by the Provider via the Google Fit SDK for the purposes described below and with the express consent of the User: steps, calories, distance, duration and heart rate. New data attributes may be added to the Google Fit framework, which will be mapped in the product and to which the user must consent.

The SQIN App and analytics service providers of the SQIN Service may analyse activity data for research purposes designed to provide a personalised service and promote healthy habits. The SQIN App may share the User's data obtained via the HealthKit framework or Google Fit SDK - with the User's explicit consent - with a third party for medical research. The SQIN Service does not use information obtained through HealthKit or Google Fit SDK applications for advertising or similar services. Users may prevent the SQIN Service from accessing their data at any time by changing their mobile device settings. Those who use HealthKit or Google Fit SDK to store and analyse their sensitive data should make sure to protect their smartphone with a secure code (e.g. deactivate the simple code in the iPhone under Touch ID & Code and create a password with a combination of upper case letters, lower case letters, numbers and special characters).

In order to improve the browsing experience on SQIN's websit, the user uses so-called cookies (small files with configuration information). Cookies are used on the SQIN website to increase user-friendliness and to make the website as individual and needs-based as possible each time it is called up. Furthermore, a cookie banner cookie is set on the SQIN website. With the help of this cookie, the provider notes whether the user has already been a visitor to the site and has accepted the cookies (in accordance with the EU's "Cookie Directive", official name: E-Privacy Directive 2009/136/EC). To save the user from having to display the annoying notice again, the cookie is automatically deleted after three months, so that the user does not have to confirm the cookie banner again until it expires. Such cookies are not only set by the SQIN website itself, but also by third-party providers on its behalf, such as Google.de (see below). When calling up a page on sqin.co, cookies are also set that remain stored beyond the user's current visit to sqin.co (so-called session).

General browser data: The SQIN website also automatically collects and stores information in cookies that is transmitted to the user's web browser, which the user uses to access the sqin.co website. In particular, this includes details of the browser and operating system used, an indication of the origin of the previously visited pages (so-called referral URL), the IP address or host name of the accessing computer and the time of the page request. This data is used for the statistical evaluation of the pages of sqin.co The SQIN website will not link the existing usage data with the name or address data of the users, which are requested, for example, when registering with the SQIN app (so-called inventory data); the collected, pseudonymous usage data will be used for long-term evaluation purposes and will only be deleted at the end of the evaluation phase or as required by law.

Revocation / opt-out option: If the user does not want cookies to be used or wants to delete existing cookies, he or she can switch them off and remove them via his or her Internet browser. He can find help on deleting cookies for the most common browsers via the following links: - Internet Explorer - Mozilla Firefox - Safari - Chrome

The SQIN websites also use analytical cookies from third-party providers, for example Google and Facebook, for analysis purposes. The use of analysis programmes by the SQIN website and the collection of data (pseudonymised data) by partner companies can be objected to at any time with effect for the future. These functions are offered and provided by the respective operators and the user will find this described again in the associated notice.

B. Improving the SQIN service

Storage and processing of app usage data (via GF)

The provider uses the service provider Google Firebase to store usage data of the SQIN Services. This is represented by Google Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland. In addition to the user profile (user name, login data), the provider stores the usage data of a user within the app on the GF servers, e.g. when a user logs in and what progress he makes. The storage of usage data enables the Provider to operate the App in a user-friendly manner. Only in this way can the provider ensure that users can continue from where they left off the last time they open the app and that the settings selected in the user's personal profile do not have to be adjusted each time. In accordance with the requirements of the GDPR for the use of IT service providers, we have concluded a written contract with GF for the processing of data on our behalf. GF stores and processes personal data strictly in accordance with our instructions. However, this may also take place outside the territory of the EU or the EEA, in particular in the USA. In order to achieve a level of data protection comparable to the DSGVO, the provider has concluded with GF the data protection contracts officially prescribed by the EU Commission (so-called EU standard contractual clauses).

Revocation / opt-out option: The user has the option of deleting his or her profile and all personal data stored therein at any time by sending his or her revocation to info@sqin.co. The provider will then forward this revocation to GF, which has undertaken to delete the corresponding data. Furthermore, the provider will also delete the user's account if the user does not actively use any of our SQIN services for a period of three years. If and to the extent that the data associated with his user account can and must still be used for purposes that have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is particularly the case in the case of legally mandatory retention obligations such as corresponding commercial and tax law regulations. The latter can be up to 10 years (see Section 147 (3) of the German Fiscal Code).

Evaluation of the usage behaviour of the SQINI website and the web app (via Google Analytics)

For the evaluation of user behaviour on the SQIN website, the provider uses the Google Analytics service, which is operated by Google. "Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland.

A cookie is set to evaluate user behaviour. The information generated by this cookie about his or her use of this website (including the user's IP address) is transmitted to Google's servers and stored there.

SQIN and Google have entered into a joint processing agreement for this purpose, the agreement can be viewed here: https://support.google.com/analytics/answer/9012600

The SQIN website uses Google Analytics exclusively with the extension of IP anonymisation, so that IP addresses are only processed in abbreviated form in order to exclude direct personal references. Through IP anonymisation, the IP address is shortened by Google within member states of the EU or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information for the purpose of evaluating your use of the web app and website, compiling reports on web app and website activity and providing other services relating to website activity and internet usage.

Revocation / opt-out option: The collection and storage of data by Google Analytics can be revoked at any time with effect for the future. For this purpose, the user has the option of installing a browser plug-in issued by Google. This is available for various browser versions and can be downloaded at http://tools.google.com/dlpage/gaoptout?hl=de.

If and to the extent that the data associated with the user's account can and must still be used for purposes that have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is particularly the case in the case of legally mandatory retention obligations such as corresponding commercial and tax law regulations. The latter can be up to 10 years (see Section 147 (3) of the German Fiscal Code).

Evaluation of app usage behaviour in the SQIN app (via Google Analytics for Firebase)

For the evaluation of user behavior in the SQIN App, the App uses the service Google Analytics for Firebase, which is operated by Google LLC. As SkinTech Corp. GmbH is based in Germany, the partner is the European Google LLC subsidiary "Google Ireland Limited", Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland.

On the one hand, the provider uses Google Analytics for Firebase to optimise our app functionalities and designs in so-called A/B tests. In such tests, the original version of the app is tested against a slightly modified version. The provider then analyses how well the new function is accepted compared to the previous version. In this way, the provider can continuously improve the design and the functionalities of the app and increase the user-friendliness. In order to be able to collect this comparative data, Google Analytics for Firebase processes the usage data of users in an app.

The Provider uses the services of Google Analytics for Firebase within the framework of the EU General Data Protection Regulation due to the interest in making the App as user-friendly as possible for users and thus optimising the user experience. On the other hand, the provider can use the Google Analytics for Firebase service to make evaluations of user behaviour in the app and thus better understand how users use the app and what the provider could still improve. Google Analytics for Firebase processes user data such as the IP address, demographic characteristics of the users, technical data on the mobile device used and the installed software version, and usage data such as the number of accesses to the app and actions in the app such as programme purchases. Such usage data is also used by Google Analytics for Firebase for statistical projections that compare the behaviour of users to other users of the app, and thus allow conclusions to be drawn with a certain statistical probability, e.g. whether a user may be interested in purchasing a programme. Based on these statistics, the provider can send the user targeted offers and discounts on SQIN that might interest the user.

The Provider uses the services of Google Analytics for Firebase within the framework of the EU General Data Protection Regulation due to the interest in designing its product in a user-friendly manner, and to be able to address users in advertising communication in a manner that is as targeted as possible according to their interests, and to be able to play only really relevant offers for them. In order to be able to use the Google Analytics for Firebase service, the provider has built its "Software Development Kit" (SDK) into the SQIN app. This creates an interface through which Google can access the above-mentioned data via the app. The information generated via the SDK about the use of the SQIN app by the user (including the IP address) is transmitted to a Google server in the USA and stored there. Google will - at least according to its own statements - in no case associate the user's IP address with other Google data. However, Google may store and process the relevant personal data in any facilities maintained by Google, its internal sub-processors or the digital infrastructure providers used. In all cases where this data leaves the EEA (European Economic Area) or Switzerland, the transfer will be made using the standard contractual clauses.

Revocation / opt-out option: For all requests relating to personal data, the user can contact info@sqin.co by email. The provider will forward these requests to Google, who have agreed to comply with all obligations arising from the EU General Data Protection Regulation. These include access, rectification, restriction of access and deletion of personal customer data. These obligations are implemented to the extent permitted by EU law on retention periods.

If and to the extent that the data associated with the user's account can and must still be used for purposes that have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is particularly the case in the case of legally mandatory retention obligations such as corresponding commercial and tax law regulations. The latter can be up to 10 years (see Section 147 (3) of the German Fiscal Code).

Evaluation of the usage behaviour of SQIN services (via smartlook)

The provider uses the smartlook service to mark sessions; this service is operated by Smartsupp.com s.r.o., Milady Horakove 13, 602 00 Brno, Czech Republic. The smartlook service records user behaviour on video and can be subsequently analysed by the provider. For this purpose, the software sets a cookie on the user's computer (for information on cookies, see the relevant parts of this policy). Personal data is not stored by the provider in the context of the use of the service.

The provider only uses Smartlook if the user has consented to this. The legal basis for the processing of the users' personal data after consent is Art. 6 para. 1 lit.a DSGVO.

The processing of the users' personal data enables the provider to analyse the users' behaviour. By evaluating the data obtained, the provider is able to compile information on the use of the individual components of the SQIN services. This helps the provider to continuously improve the SQIN services and their user-friendliness.

Revocation / opt-out option: No personal user data is stored by the provider. Only anonymous analysis data is processed for evaluation purposes. Anonymized usage logs are stored in accordance with legal requirements and automatically deleted after 30 days. For more information, please refer to the Smartlook privacy policy: https://www.smartlook.com/de/privacy

Cookies are stored on the user's computer and transmitted from it to the provider. Therefore, the user has full control over the use of cookies. By changing the settings in his Internet browser, the user can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for the provider's website, it may no longer be possible to fully use all the functions of the website. By clicking the following link https://www.smartlook.com/opt-out, the user can prevent future traking by smartlook.

C. Optimising our communication and marketing activities

Marketing campaigns with Custom Audiences (via Facebook Pixel or Custom App Events via Facebook SDK)

In its services, the Provider uses services of the social network Facebook, represented by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. In order to measure and optimally control the marketing campaigns, the Provider uses so-called "remarketing tags" in the SQIN Services. On the SQIN website, this is the so-called "Facebook Pixel", which is activated when a page is visited and provides Facebook with the information that the page was called up. In the apps, so-called "Custom App Events" are activated, which provides information to Facebook via an interface in the app (SDK) about which pages a user calls up in the app. When the user uses the SQIN services, a direct connection to the Facebook server is established via the remarketing tags. Based on his IP address, Facebook receives the information that the user has used the SQIN Services and thereby documents several individual actions within the SQIN App Services for which the advertisements are optimized. When using the website, the following actions are distinguished and recorded:

Calling up a specific landing page (e.g. homepage)

When using the app, in addition to the actions listed above, information is also collected that is only possible within the scope of app use. These actions can be assigned to the user's account. SQIN can use the information obtained in this way for the more targeted display of advertising on Facebook. The provider points out that SQIN has no knowledge of the content of the data transmitted via the Facebook Pixel or the Facebook SDK or of its use by Facebook. With the help of the usage data processed via the Facebook Pixel or the Facebook SDK, SQIN can display advertisements on Facebook and the other marketing channels of Facebook (e.g. Instagram) in such a way that they are more relevant for the user, as they take better account of his individual user behavior. In addition, the provider can thus measure whether marketing campaigns even lead to the desired result (e.g., app install). SkinTech Corp. GmbH uses the services of Facebook in this context within the framework of the EU General Data Protection Regulation due to the legitimate interest in distributing advertising budgets more effectively and optimizing the advertising effect. During the data processing described above, data is transmitted to Facebook's servers and stored. Facebook also transmits the data collected as part of the Facebook Pixel offer to the parent company Facebook, Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA. Further information on this can be found in Facebook's privacy policy.

Revocation / opt-out option: If the user does not want advertising on Facebook to be based on his or her interests and usage behaviour, he or she can object to this here in the Facebook settings at any time.

Marketing optimisation and evaluation of app usage behaviour in the SQIN app (via adjust)

For the evaluation of the success of advertising campaigns as well as the evaluation of user behaviour within SQIN, the Provider uses the Adjust service, which is operated by adjust GmbH. Adjust GmbH has its registered office at Saarbrücker Str. 37A, 10405 Berlin. When a user interacts with the advertising campaigns played out by SQIN, this usage data is forwarded to adjust. Based on this data, adjust evaluates the reaction of users to the SQIN advertising campaigns and thus enables analyses of the effectiveness of the campaigns played. The processing of the data includes the IP address, MAC address, device identification number and HTTP header with associated information. The collection of data ranges from interaction with advertising campaigns (e.g. clicks on the ad), to the download of the app, to the interaction with the app after the download. The SQIN App uses the services of adjust within the framework of the EU General Data Protection Regulation due to the legitimate interest in distributing advertising budgets more effectively and optimising the advertising impact.

Revocation / opt-out option: If the user wishes to object to the processing of this data by adjust, he or she can send his or her revocation request at any time by e-mail to info@sqin.co. We will then forward this request to adjust. adjust undertakes to comply with the instructions forwarded by us. The deletion of the data will be carried out in accordance with the legal requirements, i.e. legal storage and verification obligations will be taken into account. In addition, if the user does not wish to be tracked by adjust, he or she can select the options available at https://www.adjust.com/forget-device/.

In addition, the user can activate the option "Switch off tracking" in the SQIN app in his profile under "Data protection information". This deactivates the data analysis by adjust.

If and to the extent that the data associated with the user's account can and must still be used for purposes that have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is particularly the case in the case of legally mandatory retention obligations such as corresponding commercial and tax law regulations. The latter can be up to 10 years (see Section 147 (3) of the German Fiscal Code).

► Amendment of the privacy policy

The provider will update the privacy policy if necessary. The use of the User's data is subject to the current version, which can be found at http://www.sqin.co/privacy-policy. In the event of a change to this statement concerning a material area (e.g. change of authorization, new functions, etc.), the User will be notified by e-mail with which he/she has registered in the Service. If the User continues to access and use the Service after the change comes into effect, the User agrees to be legally bound by the revised Privacy Policy.

► You have the right

• according to Art. 15 DS-GVO to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the category of recipients to whom the data relating to you has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of the data relating to you if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• in accordance with Art. 16 DS-GVO to demand the correction of incorrect or the completion of your personal data stored by us without delay;
• pursuant to Art. 17 DS-GVO to request the deletion of your data stored by us, unless the processing of such data is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
• to request the restriction of the processing of your personal data pursuant to Art. 18 DS-GVO, provided that the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Art. 21 DS-GVO;
• according to Art. 20 DS-GVO to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller;
• to revoke your consent at any time in accordance with Art. 7 (3) DS-GVO. This revocation has the consequence that we may no longer continue the processing based on this consent for the future, whereby the processing carried out up to the time of the revocation remains lawful;
• to complain to a supervisory authority in accordance with Art. 77 DS-GVO. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our headquarters for this purpose. The supervisory authority responsible for our headquarters is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, phone: +49 30 13889-0, email: mailbox@datenschutz-berlin.de

Links to the website of other providers: Our app may contain links to providers of other Internet content via the links to our presences on platforms of social media operators already set out. This privacy policy relates exclusively to the processing of this app. We have no influence on the processing on linked sites. Please inform yourself there about the processing that takes place in each case.

Retention and deletion of data: In principle, we only store your personal data for as long as is necessary to fulfill our contractual obligations. Therefore, all stored personal data and pseudonymized usage data will be deleted when they are no longer needed for the purposes for which they were collected or when they expressly request this and we are not obliged to store them due to legal regulations. This includes storage and documentation obligations, for example, under commercial law, tax law or the German Civil Code. In some cases, these laws provide for retention periods of 10 years or more. In these cases, the data is deleted automatically after expiry of the legally prescribed retention period.

Disclosure of personal data Except for the recipients mentioned above, we do not disclose your personal data to third parties. This only happens if

• you have given your express consent pursuant to Art. 6 (1) UAbs. 1 lit. a or Art. 9 (2) lit. a DS-GVO,
• the disclosure of the data relating to you is necessary for the assertion, exercise or defense of legal claims pursuant to Article 6 (1) (1) (f) DS-GVO and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of the data relating to you,
• there is a legal obligation for the disclosure pursuant to Art. 6 (1) UAbs. 1 lit. c DS-GVO or
• the transfer is legally permissible and necessary according to Art. 6 para. 1 UAbs. 1 lit. b DS-GVO for the processing of contractual relationships with you.

► Contact person for data protection and data protection officer

For questions regarding the collection, processing and use of personal data, for information, correction, blocking or deletion of data and revocation of consents granted, the user can - as far as applicable - at any time by e-mail to info@sqin.co or by letter to SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin.

Data protection officer of the Provider can be reached at the e-mail address info@sqin.co or by mail to SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin.

Status: May 2023 - We reserve the right to adapt this data protection declaration