of Kineto Tech Rehab SRL for the application re.flex.
re.flex is a Class I medical device manufactured by Kineto Tech Rehab SRL. The CE mark indicates that re.flex has demonstrated compliance with the requirements of the European Medical Device Regulation.
- Responsibilities and contacts in all matters concerning the protection of your data,
- the purposes, legal bases and procedures for collecting, storing and processing the data you provide to us in the course of installing and using re.flex,
- the service providers involved in the provision of our service and their tasks,
- Your data subject rights and how you can exercise them
Kineto Tech Rehab SRL is the manufacturer of re.flex. The contact details are:
Kineto Tech Rehab SRL
Calea Plevnei street, 139C
Data protection officer and contact details
If you have any questions about our data protection provisions, the processing of your data and the processing procedures, or if you would like to exercise your data subject rights pursuant to Art. 12 to 20 GDPR, independently of the options offered in the re.flex app, you can contact our data protection officer at any time by post or by e-mail in English:
Calea Plevnei street, 139C
What is the medical purpose of re.flex?
re.flex is a therapeutic training program for gonarthrosis patients, consisting of an app and two motion sensors, which supports the patient, physician and physiotherapist in the course of therapy. A detailed and predefined training program offers the possibility for independent training of the patient and for documentation of the training activity, the pain progression as well as an overview of the perceived effort of the individual exercises. By means of the motion sensors, re.flex is able to provide the patient with clear instructions and immediate live feedback on correct and incorrect execution of the exercise, both acoustically and visually in 3D. Before use, a physician should have confirmed that re.flex is suitable for you and your health situation. re.flex does not provide medical or therapeutic diagnosis, recommendation or medical treatment.
Why do we have to collect data from you?
re.flex requires data for purposes of the intended use of the app and the sensors. This primarily includes the implementation of the medical purposes described above. With this data, re.flex can provide feedback on the execution of the exercises and create reports for the personal evaluation of the training progress. All data required for this purpose is collected directly from you via the re.flex app or the associated sensors and is stored securely on your mobile device or our server for further processing. re.flex creates an individual user account for you to protect your data against unauthorized access. Training plans, training results and other important data are bound to this account and are thus available to you every time you use re.flex. In order to authenticate you to your user account, to accept requests from you from the app and also to contact you, we need validated contact data, e.g. your email address. If you would like to receive the sensors required to use re.flex by mail, we also need your postal address. All accesses from the re.flex app to your data as well as login attempts and other function calls against our servers are logged. This allows us to detect attempted attacks and to meet our accountability obligations under the GDPR (e.g., to be able to answer inquiries you make about access to your data). All log data is kept for a maximum of 4 weeks. All of this data processing – unless explicitly stated otherwise below – is only carried out with your consent on the basis of Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. You can revoke your consent at any time; this will delete your user account. With your consent, we can process further data for the purpose of permanently ensuring the technical functionality, user-friendliness and further development of re.flex. We will ask you for this consent after the launch of the re.flex app, as we strive to continuously improve our app and our sensors and are dependent on data on the use of the devices in everyday care. This consent is independent of the consent to the processing of data for the intended use of re.flex described above. You can use re.flex even if you do not give this consent. Likewise, you may revoke a given consent at any time and continue to use re.flex without restriction thereafter. Detailed information on these purposes, processing operations and data collected for this purpose is provided in the following sections.
Installing the re.flex app
The re.flex app can currently only be obtained from the Apple App Store. To install the app on your mobile device, you need an account with Apple. The data processing associated with this and with the download of the app is beyond our control and responsibility. The responsible party for this is solely Apple as the operator of the App Store.
Creating an user account
In order to use re.flex after the successful validation of the activation code, you must create a user account. For this purpose, you must provide a user name (first name), a password, and a personal e-mail address to which only you have access. The password must meet defined security requirements and is used exclusively for authentication. Specifying an email address is required because some features require a second factor to verify your authenticity. This is the case, for example, if you forget your password or if we need to authenticate you as part of a communication that takes place outside the app. We will send an email to the email address provided as part of the registration process. This email will contain a confirmation link that you must click. This validates your email address and completes the registration process. If the confirmation link has not been activated after 48 hours, the user account will be automatically deleted. You can delete your user account in the re.flex app under [Profile > My Account] at any time. This will terminate your use of re.flex and all data stored by us about you will be deleted. The storage of all data of your user account takes place in Germany in a data center of our processor T-Systems. You can find out more about this in the section “Who do we share your data with (and why)?”
Intended use of re.flex
- Medical data are collected and stored exclusively for purposes of the intended use of re.flex. This includes the following processing operations and processed data: Adaptation of the therapy to the patient: Indication, affected leg. With this data, the appropriate training program is created.
- Reminding the patient to perform the therapy: username, training plans. The training reminders are used to remind you to perform your training. This can be customized and turned off under [Profile -> Send training reminder].
- Saving of progress within the therapy and Continuous individualization of the therapy: Data from the sensors and derived aggregated data on the execution of the exercises (time stamp, maximum flexion, number and accuracy of executions, recovery activities), data from the patient on aspects of exercise execution (pain, accuracy, etc.). With this data, re.flex can provide feedback on exercise execution and optimally adapt the training to you.
- Information of the patient: Medical Reports. The reports contain summaries of the data listed here to inform the patient about the implementation and progress of therapy.
When users access the app, re.flex collects and aggregates information about mobile devices (device type, operating system, app version), interfaces accessed, failed login attempts, and errors encountered. This data is necessary for the secure delivery of re.flex, as it allows us to track errors (e.g., by identifying that certain errors only occur on a certain type of device) and detect attacks.
All data processed for this purpose is stored on servers of our order processor T-Systems in Germany and automatically deleted after 4 weeks.
The basis of the processing is Article 6(1)(f) GDPR.
Responding to technical support requests
You can submit requests to technical support from within re.flex, for example, if you have questions about a specific function of the re.flex app or the activation of sensors. Note that technical support can only answer questions about technical topics and the operation of re.flex. Therefore, do not ask any medical questions to technical support and do not send any medical data to support with your request.
With a support request, you send your user name, your e-mail address and your IP number used at the moment of the request to the technical support. This enables the technical support to narrow down the described problem and to solve it. The transmitted data is required to perform any necessary analysis of log data and to contact you in case of any queries.
If you contact us via technical support, we will keep this correspondence until your re.flex user account is deleted. This allows us to track the resolution of an error, identify recurring issues and, in the event of further support requests from you, to access a history of the steps already taken to address the issue.
Ensuring technical operability, user-friendliness and further development
Usage data (interaction data from the use of buttons and views, as well as other information on the specific use of the app and sensors) that accumulates optionally during the use of re.flex helps us to improve the app and the user experience. In particular, we collect data about the interactions performed on individual screen views during app use in order to have sufficient information about the context and cause of the error in case it occurs, and thus to be able to analyze and fix it. This helps us to improve the stability of re.flex. The data processed here includes the state of the app when an error occurs, a list of the interactions performed before the error occurred, information about the manufacturer and operating system of the cell phone, and information about the time of the crash. The processing of this data takes place exclusively by us.
How does re.flex process your data
We process your data only to the extent that this is necessary to provide the re.flex services you have requested, you have consented to the processing or we are entitled to process your data for other reasons (see previous section).
Your data is processed throughout on the basis of the General Data Protection Regulation (esp. Article 6(1)(a) and (f) GDPR, as well as Article 9(2)(a) GDPR)
The technical and organizational measures used to protect your data reflect the state of the art and are appropriate in relation to the risks associated with the processing. Your data is only stored and transmitted in encrypted form. Both the re.flex website and the app use the secure HTTPS protocol with TLS encryption for data transmission. When using the re.flex website, you can recognize an encrypted connection by the fact that the address line of the browser starts with “https: //” and by the lock symbol in your browser line. Since SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
The re.flex information security policy defines acceptable use, protocols for access and authorization, and appropriate protections for the entire lifecycle of data (i.e., collection/acquisition to destruction).
re.flex employees and order processors may only access and use personal data if they are authorized to do so and only for the purposes for which they are authorized (“needs-to-know principle”) All accesses to personal data require prior authentication, pass through a technically secured access control and are logged in the systems (principle of “complete mediation”).
Does re.flex use automated individual decision making, including profiling?
re.flex does not use automated decision making or profiling (an automated analysis of your personal circumstances).
When will the stored data be deleted (deletion concept)?
We collect and store your health data, technical data and usage data as long as you use re.flex and have a user account with re.flex. The use ends with the expiry of the prescribed or approved duration of use, with a deletion of the user account triggered by you or with your revocation of consent for the purposes of intended use. In the event of expiry of the period of use and revocation of consent for the purposes of intended use, your user account will also be automatically deleted.
Data for purposes of intended use
The deletion takes place immediately together with the deletion of the user account. For technical reasons, up to 24 hours may pass between the expiry of the period of use or the revocation of consent and the physical deletion of the data from our server. During this time, the data is marked and blocked for any use.
Technical logs for the purposes of safe operation
Technical logs written for the purpose of secure operation are automatically deleted or overwritten after 4 weeks.
Data to ensure technical functionality, user-friendliness and further development
This data is only collected with your consent and only processed as long as the consent exists. The consent expires automatically with the expiry of the application period or the revocation of consent for the purposes of the intended use. With the revocation or expiration of consent, your personal data collected to ensure technical functionality, user-friendliness and further development will be deleted.
Data collected or processed by the technical support team
Data collected for support purposes is automatically deleted when the user account of the user from whom the support request originated is deleted.
Data exported will be automatically deleted after retrieval by the user.
Backups are created on a rolling basis and stored only in encrypted form. A backup is overwritten or deleted after 2 weeks at the latest.
Who does re.flex share your data with (and why)?
In order to be able to provide our services in the best possible way, we use specialized partners with whom we have concluded data processing contracts in accordance with Article 28 GDPR.
All data processors named below work exclusively on our instructions and under our control.
T-Systems International GmbH
Based on a contract data agreement, the hosting of the background services and the support systems of re.flex is carried out by T-Systems International GmbH (Hahnstraße 43d, D-60528 Frankfurt am Main). For this purpose, server locations in Germany (Magdeburg and Biere) are used exclusively. T-Systems’ servers are fully protected against cyber attacks and have ISO 27001 security certification. The re.flex app communicates with the background systems via encrypted connections using TLS in accordance with BST TR-02102-2, which prevents third parties from reading your data without authorization. In addition to the provision and technical operation of the servers and network connection, T-Systems’ contract processing activities include the provision of user authentication services and secure storage of all collected data.
Is data shared for scientific research purposes?
We pass on completely anonymized data to research institutions. This is done exclusively with the aim of having our product clinically validated and to support scientific research. You may object to the disclosure of your data for reasons arising from your particular situation (Art. 21(6) GDPR). To do so, send an informal objection to our data protection officer or technical support.
We can provide the list of current research collaborations upon request at firstname.lastname@example.org.
Data storage on mobile devices
The BSI recommends that sensitive data should preferably be stored on background systems. Therefore – and to provide the best possible user experience – we limit the data we store in encrypted form on your device to the following, necessary elements: email address, name of current training program and other training data such as adherence, pain and intensity, and support request messages.
To remove the locally stored data, uninstall the app from the device by either long pressing the app icon and then selecting “Remove App” or by selecting the app in the app list and pressing Delete. Uninstalling the app will only remove the local data. The data stored in the backend systems will remain as long as your consent is in place and there is no request for account deletion or consent revocation.
International data transmission
All user and health data is GDPR compliant and securely stored in Germany. We do not transfer any data outside the EU.
What rights do you have with regard to your data?
Articles 12-23 GDPR define your rights as a data subject. You can check these with us via our data protection officer (Andrei Kluger, email@example.com) or via technical support:
- You have the right to receive from us free of charge information about the personal data processed about you as well as a copy of this data (Article 15 GDPR). To do so, send an informal request to our data protection officer or technical support. You can also independently retrieve the data processed for the intended purposes of re.flex via the export function of the re.flex app.
- You have the right to have us correct or fill in incorrect or incomplete data (Article 16 GDPR). To do this, send an informal request to our data protection officer or technical support. They will check your authenticity based on your e-mail address stored in the user account and then initiate the desired corrections.
- You may request the restriction of processing by blocking data (Article 18 GDPR). Since blocking data and the associated exclusion from processing in the context of the intended use of re.flex is equivalent to deleting this data, we will delete the designated data upon informal request. This only applies to data that is dispensable for the intended use. A request for blocking of necessary data, such as your e-mail address or the information on the leg concerned, cannot be implemented and can only be implemented by revoking your consent.
- You have the right to have us notify – to the extent feasible with a proportionate effort – all recipients to whom personal data have been disclosed of any rectification or erasure of the personal data or restriction of processing pursuant to Article 16, Article 17(1) and Article 18 (Article 19 GDPR). In its current version, re.flex does not allow any disclosure of data to third parties, such as doctors or physiotherapists, from within the app. Accordingly, Article 19 GDPR is not applicable to re-flex.
- You have the right to export all data collected from you on the basis of consent in an interoperable format from re.flex for your own purposes (Article 20 GDPR).You can do this yourself via the data export function within the app.
- You have the right to complain to a supervisory authority about alleged violations of data protection law. The contact details of the competent authority for us are: https://www.dataprotection.ro/; firstname.lastname@example.org (postal address: Gheorghe Magheru 28-30, Sector 1, 010336, Bucuresti, Romania).
The implementation of the requests and requests made will be free of charge for you and within the deadlines specified in Art. 12 GDPR.
To protect your privacy and security, we will take reasonable steps to authenticate you before granting access to your personal information. You will be informed immediately via the e-mail address registered in your user account about deletions, blocks and corrections of data carried out by us – including the deletion of the user account following this information. This will only confirm the execution of the request. To protect your privacy, the e-mail does not contain any medical data.
Do you change your privacy document?