Privacy Policy

Principle of anonymous data use

The use of individual services and offers (Pill.ID App for Android, Pill.ID App for iOS, Pill.ID Website[in short ‘Pill.ID Apps’]) on our website and in our apps can entail divergent regulations which in this case are explained separately below. The legal basis for data protection can be found in the General Data Protection Regulation (GDPR).

When you access our website or Apps, some information, such as device used (computer, smartphone, tablet etc.), the browser used (Internet Explorer, Safari, Firefox etc.), time of visit to the website, the so-called referrer and volume of data is transferred.

We cannot use this data to identify an individual user. We only use this information to determine how attractive our offers are and to improve their performance or content, if necessary, and make their design even more appealing to you.

Collection and processing of personal data

In the case of use purely for information, i.e. if you do not register or send us information another way, we only collect data which your browser transfers to our servers. If you want to view our website, we collect the following data, which we require for technical purposes in order to show you our content and guarantee stability and security (legal basis is a legitimate interest pursuant to Article 6 (1) (f) GDPR).

In the context of the balance of interests in accordance with Article 6 (1) (f) GDPR, we have considered and weighed up our interest in website provision and your interest in data protection compliant processing of your personal data. As the data below is technically required for the provision of our service in order to offer you our website and also guarantee stability and security, in particular protection against misuse, we have reached the conclusion that, with a state-of-the-art oriented data security guarantee, this data can be processed whereby appropriate consideration will be given to your interest in data protection compliant processing.

DataPurpose of processingStorage period
Operating system usedEnsure evaluation by device and optimized display of the websiteIndefinite
Information about the browser type and version usedEvaluation of the browser used to optimize our websites for itIndefinite
IP addressPresentation of the website on the respective device
Investigation and prevention of fraud
Proof of user’s consent to receiving the newsletter
Date and time of visitPresentation of the website on the respective device
Investigation and prevention of fraud
Proof of user’s consent to receiving the newsletter
If applicable, manufacturer and model of the smartphone, tablet or other deviceEvaluation of device manufacturers and types of mobile end devices for statistical purposesIndefinite

The collection of data for website provision and the storage of data in log files is imperative for website operation. Consequently, users may not object to this.

The purposes of processing

The Data concerning the User is collected to allow the Owner to provide its Services, as well as for the following purposes: Analytics, Infrastructure monitoring and Hosting and backend infrastructure.

Users can find further detailed information about such purposes of processing and about the specific Personal Data used for each purpose in the respective sections of this document.

Data collection, processing and use in the context of Pill.ID Service

Access rights

We require these access options and information to ensure the technical function of our app and to provide the services offered with the app, to send you push notifications to inform you about new drug checking results. During the installation procedure or before you use the app for the first time, we request permission to access individual functions and information. We will only access these functions with your approval. You can revoke access rights manually in the settings for each operating system. You can find out how this works in the manufacturer instructions for your mobile OS. However, please note that you can only use the app to a limited extent or you cannot use it at all without the relevant approval.

Before you use the app for the first time, we will request the following permissions for the purpose described below:

PermissionPurpose
Delivery of push notificationsReceipt of push notifications
Mobile data/WLAN
(granted by the operating system)
Use of Internet and downloading of new content

Push notifications as part of the user experience

We require your consent if you wish to receive our push notifications on your mobile iOS device even if the app is not open. Our app only uses push notifications if you have given your explicit consent to these. You can disable push notifications in settings at any time. If you use an Android device, push notifications are permitted automatically unless you disable this in your settings.

Name of providerProvider typeData transfer to third party countryThird party countryGuarantees in acc. with Art. 44 ff GDPR
Google FirebaseOrder processorYesUSAEU standard contractual clauses
EU/US Privacy Shield
DataPurpose of processingLegal basis of processingStorage period
Device tokenSending to your deviceConsentUntil revocation of consent

Newsletter, newsletter personalization and analysis of user behavior

You can subscribe to our newsletter if you want to receive regular updates or information about topics and products that are referred to in the declaration of consent.

We need a valid email address for you for subscription purposes.

To make doubly sure that you actually want to receive information from us, we use the double opt-in procedure. Once you have subscribed, you will receive a link by email which you can use to activate the newsletter service. In other words, we will send an email to the address given when you subscribed in which we ask for confirmation that you want to receive the newsletter.

Name of providerProvider typeData transfer to third party countryThird party countryGuarantees in acc. with Art. 44 ff GDPR
Sendinblue SAS – Politique de confidentialité
55, rue d’Amsterdam 75008 Paris, France
Managing contacts & sending messagesYesUSAEU standard contractual clauses
EU/US Privacy Shield
Data in the context of the newsletter
Data in the context of the personalized newsletter (*)
Purpose of processingLegal basis of processingStorage period
Time of registrationProof of double opt-in (DOI)ConsentUp to 30 days after deletion of the customer account
IP address during DOIProof of double opt-in (DOI)ConsentUp to 30 days after deletion of the customer account
Time of DOI verificationProof of double opt-in (DOI)ConsentUp to 30 days after deletion of the customer account
Email addressNewsletter dispatchConsentUntil revocation/objection
FirstnameDirect approachConsentUntil revocation/objection
LastnameDirect approachConsentUntil revocation/objection

Cookies and tracking pixels

We use cookies to improve our web service and make your use as easy as possible. Cookies are small text files which are saved on your computer when you visit our website. They facilitate the repeated allocation of your browser. Cookies save information, such as your language settings, duration of the visit to our website or the entries you made there. This means that the required data does not need to be entered again each time the service is used. Moreover, cookies help us to recognize your preferences and adjust our website to your areas of interest.

Most browsers accept cookies automatically. If you want to prevent cookies from being saved, you can select the ‘Accept no cookies’ option in your browser settings. To find out exactly how this works, you can consult your browser manufacturer’s instructions. You can delete cookies that have already been saved on your computer at any time. Please bear in mind, however, that our website service can only be used to a limited extent without cookies.

Moreover, every time our website is loaded, we record how often it is visited and clicked on by using tags on our website, so-called tracking pixels, likewise without any interference and intervention for your computer.

Google Analytics

We use the Google Analytics service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to analyze our website visitors. Google uses cookies to track the use of the online product or service by users and the information is generally transferred to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate the use of our online products and services by users, to compile reports on the activities within these online products and services and to provide us with further services associated with the use of these online products and services and the use of the internet. Pseudonymous user profiles can be created from the processed data.

We use Google Analytics only with IP anonymization enabled. This means that Google will truncate the IP address of users within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent cookies from being stored by adjusting the settings to their browser software accordingly.

The legal basis for the use of this service is Art. 6 paragraph 1 sentence 1 letter f GDPR. Users can prevent the collection of data generated by cookies by downloading and installing the browser plug-in that is available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en. Google is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)

Facebook Marketing Services

We use the “visitor action pixels” from Facebook Inc. (Menlo Park, California) on our website so that user behavior can be tracked after users have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, which is why we are informing you, based on our knowledge of the situation. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes. You can object to the collection of your data by Facebook pixel, or to the use of your data for the purpose of displaying Facebook ads by contacting the following address: https://www.facebook.com/settings?tab=ads.

We also use Facebook’s Software Development Kit (SDK) within our apps, in order to link various Facebook services with our apps. For example, this enables users to be able to use the Facebook SDK to share content from our apps within their Facebook timeline or to send messages to other Facebook users. Further information about the Facebook SDK within iOS can be found here: https://developers.facebook.com/docs/ios. For Android, please refer to: https://developers.facebook.com/docs/android. Facebook App Events: We use the Facebook App Events service though the Facebook SDK to track the reach of our advertising campaigns and the use of the Facebook SDK. Facebook merely provides us with an aggregated analysis of user behavior with our app. We have no influence beyond that on the information that will be processed through App Events by Facebook. In our app settings, you can opt out of using App Events for these purposes.

Facebook is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). The legal basis for this processing is Art. 6 paragraph 1 sentence 1 letter b and f GDPR.

Facebook Analytics

Facebook Analytics uses the data to provide analytics and attribution information. The precise information collected includes
Usage Data and various types of Data as specified in the privacy policy of the service on Facebook.

Firebase by Google

We use the Firebase service from Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) in order to derive application behavioral analytics. We use that information to see how users interact with our website and app.

Firebase is part of the Google Cloud Platform and offers numerous services for developers. A list can be found here: https://firebase.google.com/terms/. Some Firebase services process personal data. In most cases, the personal data is limited to so-called “instance IDs”, which are provided with a time stamp. These “Instance IDs” assigned by Firebase are unique and thus allow the linking of different events or processes. This data does not represent personally identifiable information for us, nor do we make any efforts to personalize it subsequently. We process these aggregated data to analyze and optimize usage behavior, for example by evaluating crash reports.

Currently, we use the following Firebase services:

Google Analytics for Firebase: Google Analytics uses the data to provide analytics and attribution information. The precise information collected can vary by the device and environment. You can find more information via this link: https://support.google.com/firebase/answer/6318039.
and on Google’s partner policy. Google Analytics retains ID-associated data for 60 days, and retains aggregate reporting and campaign data without automatic expiration, unless the Firebase customer changes their retention preference in their Analytics settings or deletes their project.For Analytics for Firebase, Google uses not only the “Instance ID” described above, but also the advertising ID of the end device. You can restrict the use of the advertising ID in the device settings of your mobile device. For Android: Settings > Google > Ads > Reset Ad ID For iOS: Settings > Privacy > Advertising > No ad tracking

Firebase Dynamic Links: Dynamic Links uses device specs on iOS to open newly-installed apps to a specific page or context. Dynamic Links only stores device specs temporarily, to provide the service.

Firebase Cloud Messaging: Firebase Cloud Messaging is used to transmit push messages or so-called in-app messages (messages that are only displayed within the respective app). A pseudonymized push reference is assigned to the mobile device, which serves as a target for the push messages or in-app messages. The push messages can be deactivated and reactivated at any time in the settings of the mobile device. Firebase Cloud Messaging uses Instance IDs to determine which devices to deliver messages to. Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Firebase Realtime Database: Firebase Realtime Database is a hosting and backend service provided by Google Inc.
Purpose: Providing of hosting & backend infrastructure for our apps
Personal Data collected: Usage Data and various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy. Privacy Shield participant.

Firebase Cloud Firestore: Firebase Cloud Firestore is a hosting and backend service provided by Google LLC.
Purpose: Providing of hosting & backend infrastructure for our apps
Personal Data collected: Usage Data and various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy. Privacy Shield participant.

Firebase will use this information on our behalf for the above mentioned reasons.

The legal basis for the use of this service is Art. 6 paragraph 1 sentence 1 letter f GDPR. Google is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation http://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Crashlytics: When using our website and apps, data is collected and stored which is used to generate information using pseudonymous usage profiles for purposes of web analysis. We measure and analyze technical performance data (e.g. response and load times) and application data (hardware and software used) in order to improve the performance of our products. Cookies are used to do so. These are text files saved on your computer that allow us to analyze how you use our website. The pseudonymous usage profiles are not associated with personal data on the bearer of the pseudonym without the concerned party’s express consent. You can object to future data collection and storage for the purpose of web analysis at any time by deactivating cookies in your browser settings. You can find the individual privacy notices for the providers here:
https://firebase.google.com/terms/data-processing-terms

Name of providerProvider typeData transfer to third party countryThird party countryGuarantees in acc. with Art. 44 ff GDPRStorage period
Crashlytics by
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
USA
Order processorYesUSAEU-US Privacy Shield90 days

Social media fan pages

Pill.ID maintains so-called fan pages with social media providers like Instagram and Facebook (both: Facebook Inc. Menlo Park, California) in order to communicate with users, interested parties, and users who are active there, and to inform them about our products and services. In doing so, the users’ data can be processed outside of the EU. The above-mentioned US providers are part of the EU-US Privacy Shield framework and thus guarantee the observance of European data protection laws.

In the opinion of the European Court of Justice (ECJ), we are responsible, together with Facebook, for the processing of your personal data. You can find the decision of the ECJ dated June 5, 2018 here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=298398

A Joint Controller Agreement exists with Facebook Inc. pursuant to Art. 26 GDPR, which can be found here: https://www.facebook.com/legal/terms/page_controller_addendum. Facebook Ireland pledges to assume the main responsibility in the context of the General Data Protection Regulation (GDPR) for the processing of Insights data and to fulfill all applicable obligations in the context of the GDPR with reference to the processing of Insights data (including, but not limited to Articles 12 and 13 GDPR, Articles 15 to 22 GDPR, and Articles 32 to 34 GDPR). Facebook Ireland will also make available the essential information of this Page Insights Addendum to the affected parties. Please contact Facebook to assume your rights as affected parties. The Data Policy of Facebook can be found here: https://www.facebook.com/privacy/explanation

When using the Facebook fan page, the following data will be collected from you for the purpose of user communication and target group advertising:

  • user interactions (posts, likes, etc.)
  • Facebook cookies
  • demographic data (e.g., based on information regarding age, place of residence, language, or gender)
  • statistical data on user interactions in aggregated form, that is, without the possibility to relate the information to any particular persons (e.g., page activities, page impressions, page previews, likes, recommendations, articles, videos, page subscriptions, incl. source, times of day)

The usage of personal data for advertising purposes is of particular importance for Facebook. We use the statistics function to find out more about visitors to our fan page. The use of the function enables us to adapt our content to the respective target group. In this way we also use, for example, the demographic information about the users’ age and location, whereby it is not at all possible for us to relate this information to persons.

In order to provide the social media service in the form of our Facebook fan page and to use the Insight function, Facebook generally saves cookies on the end device of the user. These include session cookies, which are deleted when the browser is closed, and persistent cookies that remain on the end device until they expire or are deleted by the user.

We use the Facebook Insights function for statistical evaluation purposes. In this connection, we receive anonymized data concerning the users of our Facebook fan page. As a result, it is not possible for us to trace them back to your person. For more information, you can refer to the cookie guideline https://www.facebook.com/policies/cookies/ of Facebook.

The personal data of users are processed on the basis of our justified interest in effectively providing information to users and maintaining communication with the users, as well as for the purposes of statistical evaluation pursuant to Art. 6(I) (f) GDPR.

Transfer of data to third parties

We only pass your personal data on to third parties if:

  • you have given your explicit consent to this,
  • forwarding data is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume you have an overriding legitimate interest in your data not being passed on,
  • in the event that we have a legal obligation to forward data, and
  • this is legally permissible and required for the performance of the contractual relationship with you.

In the case of data transfer outside the European Union, the high European level of data protection essentially does not exist. It may be the case with a transfer that an EU Commission adequacy decision in accordance with Article 45 (1) (3) GDPR is not currently in place. This means the EU Commission has not yet decided that the level of data protection in the respective country corresponds to the level of protection in the European Union based on the GDPR. Consequently, we have put the appropriate guarantees referred to above in place. Potential risks, which cannot be ruled out completely in connection with data transfer, are in particular:

  • your personal data could be processed over and above the intended purpose.
  • Moreover, there is a possibility that you may not be able to exercise your rights in relation to data protection, for example your right of access, to rectification, erasure or data portability, on a consistent basis and enforce these.
  • It may also be highly likely that data is processed incorrectly and in quantitative and qualitative terms, the protection of personal data fails to meet the requirements of the GDPR in full.

Your Rights

Information on the rights of data subjects

Each data subject has the right of access in accordance with Article 15 GDPR, the right to rectification in accordance with Article 16 GDPR, the right to erasure in accordance with Article 17 GDPR, the right to restriction of processing in accordance with Article 18 GDPR, the right to object in Article 21 GDPR and the right to data portability in Article 20 GDPR. The limitations according to Articles 34 and 35 BDSG apply to the right of access and to the right to erasure.

Information on the option to lodge a complaint

You also have the right to lodge a complaint with the competent data protection authority about our processing of your personal data.

You can withdraw your consent with us to process personal data at any time. This also applies to withdrawals of a declaration of consent that were given to us before the General Data Protection Regulation came into effect, i.e. before May 25, 2018. Please note that this withdrawal will only apply prospectively. This does not affect processing that took place prior to a withdrawal.

Right in the event that data is processed for direct marketing purposes

You have the right pursuant to Article 21 (2) GDPR to object to the processing of personal data concerning you. In the event that you object to processing for direct marketing purposes, we will no longer process your personal data for this purpose. Please note that this withdrawal will only apply prospectively. This does not affect processing that took place prior to a withdrawal.

Information on right to object in the case of balance of interests

If we process your personal data based on a balance of interests, you can object to such processing. If you exercise this right to object, please state the reasons why we should not process your data as we have described. If your objection is justified, we will review the situation and either stop or adjust data processing or explain our compelling legitimate reasons for processing to you.

Our website may contain links to the websites of other providers. Please note that this Data Privacy Statement applies only to the website of Pill.ID. We have no influence on or control over the compliance of other providers with applicable data protection regulations.

Amendments to the Data Privacy Statement

We reserve the right to amend or adjust this Data Privacy Statement at any time subject to compliance with applicable data protection regulations.

Contact

E-mail: [email protected]