medaia GmbH ("medaia," "we," "us") considers it important to adequately protect your personal data. When processing personal data, medaia therefore complies with the applicable legal provisions on the protection, lawful handling, and confidentiality of personal data, as well as on data security, in particular the EU General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG"), and the Telecommunications Act ("TKG").
This privacy policy informs you about the nature, scope, and purposes of the processing of your personal data when you use our SkinScreener API ("SkinScreener") to obtain a risk analysis of your individual skin cancer risk based on transmitted images of your moles and skin lesions.
The controller responsible for processing your personal data in accordance with data protection regulations is:
medaia GmbH
Am Eisernen Tor 5/1/12
8010 Graz
The contact details of the data protection officer are: datenschutz@medaia.at
When you use SkinScreener, we process your personal data. We only process the data that you provide to us when you grant authorization and request an evaluation. This includes the following data in particular:
The processing of your personal data serves the purpose of authenticating your access to SkinScreener, correctly assigning and evaluating the transmitted images of your skin lesions, and granting you access to your archived images in SkinScreener. The evaluated images enable a risk assessment with regard to any existing skin cancer risk. The data for authentication in the app is provided by the third-party application and processed directly by medaia for its own purposes when using the SkinScreener API.
In addition, the processing of your year of birth and gender is necessary to comply with post-market surveillance requirements (ISO 13485 and Regulation (EU) 2017/745).
Your personal data is processed (i) with regard to non-sensitive data for the purpose of contract fulfillment in accordance with Art. 6 (1) (b) GDPR and (ii) with regard to your health data on the basis of your express consent in accordance with Art. 6 (1) (a) GDPR and Art. 9 (2) (a) GDPR. You have the right to revoke your consent at any time with effect for the future. However, without your consent, we are not permitted to process your sensitive health data – this also means that we cannot provide SkinScreener. We ask for your understanding in this matter.
In order to fulfill our legal obligations regarding post-market surveillance for medical devices and to further develop SkinScreener's artificial intelligence, we process some of your personal data from your use of SkinScreener in anonymized form, without any conclusions about your person being possible. For this purpose, the personal reference is deleted and replaced by an internal ID that can no longer be assigned to you.
In order to carry out post-market surveillance and further develop the artificial intelligence of our app, analyzed, anonymized images with risk assessment, gender, and age are transmitted via an encrypted connection to the ISO-certified data center (location: Germany, local storage there), stored, and processed for research purposes, further development, and market surveillance of SkinScreener medical devices.
SkinScreener is ad-free within the third-party app and does not share data with advertising service providers. We also do not sell, rent, or lend your personal data to third parties.
We only disclose your personal data to the extent necessary to the following external service providers (processors) who support us in providing our services:
Our processors only process your data on our behalf and based on our instructions so that we can provide you with our services.
Please note that our processor Google LLC is based in the US and is committed to protecting your data under the EU-US Data Privacy Framework.
In addition, we transfer your personal data to the following recipients (controllers) to the extent necessary:
In the event of a merger, acquisition, or sale of all or part of our assets, you will be notified by email and/or by a prominent notice on our website of any change in ownership or use of personal data, as well as your choices regarding personal data.
We will only retain personal data for as long as necessary to fulfill the respective processing purposes, including compliance with legal, regulatory, tax, accounting, or reporting requirements.
We may retain your personal data for a longer period if there is a complaint or if we reasonably believe that a legal dispute relating to our relationship with you is imminent. Our retention obligations may therefore continue to apply even if you no longer use the SkinScreener service.
When determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data. We also consider the potential risk of harm from unauthorized use or disclosure and whether we can achieve those purposes through other means.
If the data is no longer necessary for the purposes pursued or legitimate interests and no other legal basis applies, we will delete the data as soon as the other legal basis no longer applies.
If you revoke your voluntary consent or exercise your right to erasure, we will delete or anonymize all personal data and your health data that is not subject to any legal retention obligations within 30 days. If you do not request proactive deletion of your personal data, all personal data, including your health data, will be automatically deleted or anonymized 24 months after the end of the contract, at the end of the month in which the contract was terminated. No further action on your part is required.
All images captured using SkinScreener and rated as green, yellow, or red, as well as the analyses and recommendations, are stored on your device. If the third-party app is uninstalled from your device, all captured images will also be deleted.
Please note: Uninstalling the third-party app does not delete the data we have processed up to that point. To delete the data, please proceed as described above.
You have the right to access, correct, delete, and restrict the processing of your personal data by medaia. You can also withdraw your consent to the processing of personal data with effect for the future if the processing is based on your consent. You may have the right to receive the data you have provided in a structured, commonly used, and machine-readable format ("data portability").
You have the right to object to data processing if there are reasons for this arising from your particular situation.
You also have the option of lodging a complaint with the data protection supervisory authority. The supervisory authority responsible for us is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, email:dsb@dsb.gv.at ; tel: +43 1 52 1 52-0 (http://www.dsb.gv.at). Additional European data protection authorities can be found at https://digital-strategy.ec.europa.eu/en/library/list-personal-data-protection-competent-authorities.
If you have any questions regarding your personal data, please contact us at datenschutz@medaia.at
Data security is very important to us. medaia uses appropriate technical and organizational measures to ensure the security of data processing to the best of its ability. In accordance with Art. 32 GDPR, this applies in particular to the protection of personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data that is transmitted, stored, or otherwise processed (in particular, encrypted transmission and storage of your personal data).
All medaia employees are bound to secrecy regarding the information entrusted to them or disclosed to them in the course of their work.
