Privacy Notice
1. Introduction
The purpose of this Privacy Policy ("Privacy Policy") is to allow us to inform you about how your personal data is processed when you use our services (hereinafter collectively referred to as “Kry Services”).
This Privacy Policy describes who is responsible for the processing of your personal data (data control). It also describes how we process your personal data, the legal basis on which we do this, what rights you have with regard to the processing of your personal data, how you can exercise these rights, and how you can contact us if you have any questions about our data protection measures.
Please note that Kry does not perform any medical activities itself. Medical activities, including but not limited to medical consultations, advice, recommendations and treatment plans (hereinafter collectively referred to as “Telemedicine Services”), are provided exclusively by independent medical practitioners ("Clinicians").
2. Who is responsible for the processing of your personal data?
2.1 Responsibility for the Kry Platform and Kry Services
DMS Digital Medical Supply Germany GmbH, company registration number HRB 192856, Julie-Wolfthorn-Straße 1, 10115 Berlin ("Kry", “we” or “us”) provides registered users or, where applicable, otherwise authenticated users ("Users") with access to the technical platform ("Kry Platform") in Germany, through which users can access selected Kry Services. Kry is the data controller for the processing of personal data that takes place within the scope of the provision of the Kry Platform and Kry Services.
2.2 Responsibility for Telemedicine services
When Telemedicine services are performed by Clinicians, Kry shall only provide the technical and administrative requirements for performing that Telemedicine service. This means that Kry will only process your personal data in this context in accordance with agreements made with the Clinicians.
The Clinicians have sole responsibility for the performance of Telemedicine services. The sole parties to the treatment contract are the Users and the Clinicians. Clinicians serve as independent controllers with respect to all personal data processing they do in the course of providing Telemedicine services. At the start of a consultation, you will be informed of the identity and contact details of the Clinicians. The Clinicians also provide you with (https://www.kry.de/datenschutzerklaerung-aerzte/ “Privacy Policy of Clinicians”).
2.3 Kry Contact
¤ If you have any questions, comments or complaints regarding the processing of your personal data in connection with your use of the Services, you are welcome to contact us at any time at (https://support.kry.de/hc/de/requests/new “Kry Support”). Alternatively, you can contact our Data Protection Officer at datenschutz@kry.de.
3. What personal data do we collect in the course of providing Kry Services?
This section describes the categories of personal data collected and processed in connection with the Kry Services. You are not obliged to provide personal data. However, if you do not provide us with your personal data, we may not be able to provide Kry Services to you or, as the case may be, the provision of Kry Services may be delayed.
3.1. Usage data
Kry processes the following personal data about you, collectively referred to as Usage data.
Registration data: Personal data you provide via your account, e.g., surname, first name, date of birth, gender, address, email address, telephone number and health insurance category, as well as other information about the insurance, e.g. health insurance card no..
Identification data: For identification purposes, Kry may request additional information, such as a photo of you and relevant documents proving your identity.
Usage data: Technical Information generated by your use of the Kry Services. Include IP address, credentials, type and version of operating system and unit, connection type, time settings, language settings, type of device and version, and application protocols.
3.2. Health Information
If you wish to use us receive Telemedicine services from a medical professional, you will be asked to provide data about your physical and/or mental health so that we can arrange Care for you. For the most part, this information is provided by completing the relevant symptom form on the Kry Platform or by submitting information about your health profile. For example, this could include information about a particular disease you are suffering from, your medical history or your physiological or medical well-being.
We also collect data about consultations with Clinicians, for instance, the date and time of appointments, the type and duration of an appointment, waiting time, the outcome of an appointment (for example, prescription, referral, sick note), the price category of an appointment, whether the appointment was for you or your child, and diagnostic codes. We also collect data about the prescriptions issued to you to allow you to forward and redeem the prescription. We may also access your medical records for regulatory- and quality control purposes, provided you have given your consent to do so.
The personal data described in this section is hereinafter referred to as “Health Information”.
3.3 Further data processing
If you use other selected Kry Services via the Kry Platform, we will process the personal data required for this purpose. Please refer to the Kry Platform for details about data processing.
4. For what purposes are your personal data processed, and on what legal basis?
4.1. Delivering our services to you
In connection with the provision of the Services, Kry processes your usage data for the following specific purposes:
(i) to enable you to register and give you the authorisation to log in and use your user account;
(ii) to verify your age and identity;
(iii) to operate and maintain the Kry Platform, for example, for functionality such as video calling- and support systems, booking systems and administrative systems required for your medical consultations, e.g., to give Clinicians information about who you are and what are your symptoms prior to the consultation;
(iv) to enable you to pay for the Service and to manage the settlement and assertion of claims arising in connection with the Telemedicine services provided by the Clinicians;
(v) to manage your prescriptions, including forwarding data to a pharmacy of your choice;
(vi) to maintain your profile and manage the settings you selected;
(vii) for quality control purposes (to ensure a high level of healthcare services for Clinicians and to follow up on inquiries, requests and complaints, for instance);
(viii) in order to otherwise deliver the Services for you in accordance with our Terms and Conditions.
The legal basis for all of the purposes described above under (i) to (vii) is to fulfil the contract with you as described in our General Terms and Conditions of Business (within the meaning of Art. 6 (1) (b) GDPR), and to safeguard our legitimate interests (within the meaning of Art. 6 (1) (f) GDPR). Insofar as your Health Information are processed for the purposes described above under (iii) to (vi), processing takes place on the basis of your explicit consent (in accordance with Art. 9 (2) (a) GDPR).
4.2. Marketing products and services and improving your user experience
With your consent, Kry will process certain usage data to provide you with news, updates and promotional content via email and other electronic communication channels such as in-app and push notifications. These communications are based on what we know about you as a user, B. which features you are most likely to use and which of the previous communications you showed interest in, as well as basic demographic and geographic data about you, such as, for example, your age, gender, the region you live in, and whether you use the service for yourself or for your children. Health Information will not be used for such communications however. With your consent, we may also send you health-related communications such as health recommendations, tips and relevant health information tailored to your needs.
You can unsubscribe from marketing communications at any time by changing your preferences in your account settings or by using the relevant link appearing at the end of every email.
4.3. Fulfilment of legal obligations, defence against claims and responding to legal proceedings
Kry may also process your personal data to the extent necessary to comply with its legal obligations under applicable law (pursuant to Art. 6 (1) (c) GDPR), for example, in accordance with accounting rules and regulations, and where we have a legitimate interest in defending ourselves against claims or otherwise responding to legal proceedings, as described in Art. 6 (1) (f) GDPR (and if Health Information is involved, then in accordance with Art. 9 (2) (f) GDPR).
4.4. Evaluating, developing and improving the quality of our services
Kry may process your personal data to further develop and improve Kry Services and the systems used to provide Kry Services. For example, we use your personal data to make the Kry Platform more user-friendly and simplify your user journey by personalising the user experience based on your data and requirements. We also use your personal data to launch or improve functionality we consider relevant for our users or to carry out quality improvement projects designed to enable and improve the Telemedicine services provided by the Clinicians. The legal basis for the processing of your personal data for the purposes described above is our legitimate interest in developing and improving the Services (Art. 6 (1) (f) GDPR). Where Health Information is involved, we will only process such data with your consent (Art. 9 (2) (a) GDPR).
With your consent, Kry may aggregate your personal data to process it anonymously, for example, to develop new functions for our Kry Platform, tailor our services to individual user needs, to optimise the user journey and to make general improvements to the user experience on the Kry Platform.
4.5 To identify whether users came to us via advertisements on the websites of our advertising partners, and to pay our advertising partners for such referrals
When you click on one of our ads on our advertising partners’ website, you will first be redirected to our website and then to an app store. We create a log file on our website with the following information:
a non-reversible hash of your IP address and information about your device (e.g., “Macintosh; Intel Mac OS X 10_14_6”);
the timestamp of your request; and
the name of the advertising campaign.
When you create an account to use our Kry Services, we also create a non-reversible hash of your IP address and device information (e.g., “Macintosh; Intel Mac OS X 10_14_6”).
We compare the hash values in these two log files to determine how many users have registered for an account in our Kry Platform after clicking on one of our ads on our advertising partners’ website.
We store the hashes for one week after they were created. We do not combine this data with any other data, in particular your account data, name or Health Information.
We use the result of this comparison exclusively for the following purposes: (1) to determine how many users registered for an account to use our Kry Services after a specific marketing campaign, and (2) to compensate our advertising partners; the amount of compensation received by the advertising partner depends on the number of successful registrations made after clicking on our advertisement on the advertising partner’s website.
Our legal basis for processing your personal data for the purposes described above is our legitimate interest to (1) know how many users have registered for an account to use our Kry Services after a specific marketing campaign, and (2) compensate our advertising partners in accordance with the agreement we have entered into with them (Art. 6 (1) (f) GDPR).
5. How long do we keep your personal data for?
We will only process your personal data for as long as necessary for the purposes for which the information in question is processed in accordance with Section 4 above. This means that we will keep your personal data for as long as necessary to provide you with the Services, to meet our relevant legal obligations, to defend ourselves against any claims, etc. as described in greater detail above.
Therefore, usage data (as defined in Subsection 3.1 above) is generally retained for two (2) years. Other personal data will generally be erased or anonymised no later than one (1) month after the termination of your account with us, provided that the data does not have to be stored in order to fulfil legal obligations (in particular to comply with retention obligations, which stipulate, among other things, that tax-relevant business letters or documents be retained for up to ten (10) years). In addition, if any legal or disciplinary proceedings are initiated, your personal data will be retained until the end of such proceedings, including any time limits for appeal, and subsequently deleted or archived, to the extent permitted by applicable law.
If we process your data based on your consent, we will delete or anonymise your data should you withdraw your consent (unless there is a legal obligation, such as a statutory retention obligation, or we have legal authority to keep these data for a longer period of time).
6. Third parties with whom your personal data may be shared
6.1. Kry Service Providers
In order to be able to offer you the services, Kry uses other companies in the Kry Group or external service providers that offer services in the areas of hosting and technical infrastructure (servers, databases, external computing power) as well as marketing and payment platforms. Kry specifically engages its parent company Kry International AB (a company based in Sweden) to provide IT services to provide Kry Services and the related Kry Platform. These service providers process personal data in their capacity as Processor on behalf of Kry solely for the purpose of providing the services requested by Kry and only in accordance with Kry’s instructions.
6.2. Insurance providers
If you were referred to us by your insurance provider or are insured by an insurance provider who is also a Kry partner, we may inform your insurance provider that you have used the Services, and also provide information on the outcome of health consultations and other health information, but only if you have given us your particular consent to do so, which you will be asked to provide when using the Services via your insurance provider. This Privacy Policy does not apply to the processing of personal data by your insurance provider. Please contact your insurance provider if you would like to know more about how your insurance provider processes your personal data.
7. Will the data be transferred to other countries outside the EEA?
Your personal Health Information (i.e. symptom- and consultation data) remains within the European Economic Area ("EEA") and will never be transferred to recipients outside the EEA.
However, we do sometimes use services from providers which partly operate from so-called third countries (outside the European Union (EU) and outside the EEA) or which process personal data from there, i.e. countries with a different level of data privacy than the EU. Where this is the case and the European Commission (EC) has not made an adequacy decision for these countries (Art. 45 GDPR), we at Kry have taken appropriate measures to ensure there is an adequate level of data protection for any such transfers. Such steps include, among other things, using the EU's standard contractual clauses or binding internal privacy regulations.
In cases where this is not possible, we base the data transfer as falling under the derogations of Art. 49 GDPR, in particular, that you have given your explicit consent, or that the transfer is necessary for the performance of the contract or for the implementation of pre-contractual measures.
If provision is made for a third-country transfer is provided for and no adequacy decision applies nor are there suitable guarantees, it is possible and there is a risk that authorities in that third country (e.g., intelligence services) will be able to gain access to the transmitted data in order to store and analyse it and that the enforceability of your rights as data subject cannot be guaranteed. You will also be notified if your consent is obtained via the cookie banner.
8. Use of cookies; in-app tracking; Customer Relationship Management (CRM)
More information about how cookies are used can be found in our (https://www.kry.de/cookies/ “Notes on cookies”) and in the cookie banner.
Within the Kry App, we process basic data, such as IP address, Internet connection or language settings, with the user consent necessary to use the Kry Services.
Users can also give their consent to tracking for product analysis and marketing purposes within the Kry App. On the basis of these consents, we may then process personal data such as IP address, device information, device ID and interaction within the Kry App for the purposes of internal product optimisation or to evaluate the effectiveness of marketing campaigns. Special categories of personal data, such as Health Information, are not processed for such purposes.
Where users have given their consent, we currently do not use any external trackers for product optimisation purposes.
We use Braze as the provider of our Customer Relationship Management System (CRM). We use the system to segment and send communication to you, e.g. marketing based on user consent or to send out important service messages. No personal data is processed outside the EU/EEA.
9. Online social network presence
We maintain an online presence on social networks in order to communicate with users and interested parties and to let them know about our services, among other things.
User data is generally processed by social networks for market research- and advertising purposes. This enables user profiles to be built based on the interests of users. Cookies and other identifiers are stored on user's computers for this purpose. Based on these usage profiles, advertisements can then be placed in social networks as well as third-party websites, for example.
In the course of operating our online presence, we may be able to access information provided by the social networks such as statistics on how our online presences are used. These statistics are aggregated and may in particular contain demographic information and data concerning interactions with our online presences and the articles and content distributed using them. Please refer to the list below for details and links to the social network data we have access to as operator of the online presences.
The legal basis for data processing is Art. 6(1) sentence 1 lit. f GDPR, based on our legitimate interests in providing users with effective information and for user communication,; in the alternatuive, Art. 6(1) sentence 1 lit. b GDPR in order to stay in touch with and inform our existing users, and to implement pre-contractual measures with prospective users.
The legal basis for the data processing carried out by the social networks at their own behest can be found in the social network's own privacy policies.
You can also find additional information about how data is processed and options for filing a complaint for each network under the following links.
Note that data protection requests can be dealt with most efficiently by the social network provider, since they alone have access to these data and only they are able to take direct action. Below is a list of information about the social networks where we have an online presence:
Facebook (USA and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Operation of our Facebook fan page under joint responsibility and based on an agreement on the joint processing of personal data (so-called Page Insights extension with regard to the Data Controller)
Information about page insights data and whom to contact with any privacy enquiries:(https://www.facebook.com/legal/terms/information_about_page_insights_data “https://www.facebook.com/legal/terms/information_about_page_insights_data”)
Privacy Policy: (https://www.facebook.com/about/privacy/ “https://www.facebook.com/about/privacy/”)
Opt-Out: (https://www.facebook.com/settings?tab=ads “https://www.facebook.com/settings?tab=ads”) and (http://www.youronlinechoices.com “http://www.youronlinechoices.com”).Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Privacy Policy: (https://help.instagram.com/519522125107875 “https://help.instagram.com/519522125107875”)Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
Privacy Policy: (https://twitter.com/de/privacy “https://twitter.com/de/privacy”)
Opt-out: (https://twitter.com/personalization “https://twitter.com/personalization”).LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
Operation of the LinkedIn company page under joint responsibility and on the basis of an agreement on the joint processing of personal data (so-called Page Insights Joint Controller Addendum)
Information about page insights data and whom to contact with any privacy enquiries: (https://legal.linkedin.com/pages-joint-controller-addendum “https://legal.linkedin.com/pages-joint-controller-addendum”)
Privacy Policy: (https://www.linkedin.com/legal/privacy-policy “https://www.linkedin.com/legal/privacy-policy”)
Opt-out: (https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out “https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out”).
10. Your rights as a Data Subject and User of Kry Services
You have a number of different rights with respect to the personal data we hold about you, which you can exercise depending on the requirements and restrictions of applicable data protection law.
Feel free to contact us at any time in order to:
request access to and get information about the personal data processed in connection with your use of Kry Services. You are entitled to receive a copy of the personal data processed. For any additional copies you request, we may charge a reasonable fee to cover our administrative costs;
ask us to correct incorrect information we hold about you;
request the erasure of your personal data;
ask us to restrict processing of your personal data if you believe that (a) such data is inaccurate, (b) our processing is unlawful or (c) we no longer need to process such data for a specific purpose, unless we are prohibited from erasing the data because we are required to comply with a legal or other obligation or you do not want the data to be erased;
__- object to the processing of your personal data if the legal basis for our processing of your personal data lies in our legitimate interest. We will comply with your request unless we have compelling legitimate grounds for processing the data which override your interests and rights, or we need to continue processing the data in order to assert, exercise or defend a legal claim. In addition, you may not have a right to object in particular if the processing of your personal data is necessary for the implementation of pre-contractual measures or in order to fulfil a contract that has already been concluded;
if we use your personal data based on your consent, exercise your right to withdraw your consent at any time free of charge.
This also applies if you wish to unsubscribe from marketing communications. Please note, however, that Kry can no longer provide you with Kry Services if you withdraw your consent to the use of Health Information for the purposes described in Section 4.1 above; or
request the transfer of your personal data to another data controller of personal data, which you do by having your personal data, insofar as it has been provided by you, sent to you in a commonly used digital format to allow these data to then be transferred to another party (right to data portability).
If you wish to contact us regarding any of the above rights, please do so by visiting our website or by emailing us at datenschutz@kry.de. As mentioned above, Clinicians act as independent controllers in relation to any processing of your personal data. Such processing takes place in the context of the provision of the Telemedicine services. Therefore, if you wish to make an application or exercise any of your rights in relation to the Telemedicine Services, please contact the Clinician concerned.
11. The right to lodge a complaint with a Data Protection Authority
We hope this Privacy Policy has helped you understand how we handle your personal data. However, if you still have questions, please do not hesitate to contact us using the contact details provided in Section 8 above. Note: you have the right to lodge a complaint with a data protection authority if you believe that the processing of your personal data is incorrect or violates legal requirements. In these cases, the responsible authority is (a) the data protection authority of your place of residence or (b) the data protection authority responsible for us, i.e. the Berlin Commissioner for Data Protection and Freedom of Information.
Version: February 2022