Information according to Art. 13 GDPR for the Meliva Mobile App
Data protection is very important to us. With the following information, we would like to inform you about how we handle the collection, use and disclosure of personal data when using the Meliva Mobile App - e.g. when using services such as video consultations - in accordance with Art. 13 of the EU General Data Protection Regulation (GDPR).
- Responsible body
Responsible for data processing within the meaning of Art. 4 No. 7 GDPR is:
Meliva GmbH
Gervinusstraße 17
60322 Frankfurt am Main
Tel.: +49 69 5660820
Email: datenschutz@meliva.de
2. Data processing when using the Meliva Mobile App
2.1. Registration/Patient Registration
Type of data:
To use the Meliva Mobile App, you must first register. As a patient, you must first enter your email address and a password. You will then be required to validate the e-mail address you provided. After which, you will be asked to provide your identifying information.
The following personal data is required:
- First name
- Last name
- Address
- Phone number
- Gender
- Birthdate
- Insurance company
- Insurance number
Physicians operating through the web-app must register prior to the video consultation.
The following personal data is required:
- First name
- Last name
- Username
- Password
- Email address
Legal basis and purpose of data processing:
The data processing is necessary so that we can provide you with the services from the Meliva Mobile App as part of the free service contract. The legal basis for data processing is therefore Art. 6 Para. 1 Clause 1 lit b) GDPR.
The purpose of data processing is therefore to provide the app and the associated services.
Duration of storage:
Your personal data will be stored for the duration of use of the app. It will be deleted within 48 hours of deleting your account or the app.
Recipients / categories of recipients:
In exceptional cases, data will be processed on our behalf by contract processors. These are carefully selected, audited by us and contractually bound in accordance with Art. 28 GDPR. BeeHealthy Deutschland GmbH, Amazon Webservices and Amazon Simple E-Mail Service are used to provide the app and send the registration email.
For identity verification purposes we rely on Keycloak service provided by Intension GmbH.
2.2. Profile/settings for billing purposes
Type of data:
In order to be able to use all paid services, you must complete your profile with the following personal data:
- Telephone number
- Address (street, zip code, city)
- country
- Gender
- birth date
- Language
- Payer with choice of health insurance provider
- Insurance number (if available)
This data is also used to create and fill out the patient file.
The patient may also set up biometric authentication to further strengthen account security.
Legal basis and purpose of data processing:
The purpose of data processing is to properly bill you or your health insurance company for the requested medical services after they have been requested and to create the patient file in the doctor's information system. The telephone number is required as a date so that we can contact you in an emergency, for example if telecommunications are interrupted.
The legal basis for data processing is the treatment contract in accordance with Art. 6 Para. 1 S. 1 lit. b) in conjunction with Art. 9 Para. 2 lit. h in conjunction with Para. 3 GDPR in conjunction with Section 630a BGB.
Duration of storage:
The patient file, the billing-relevant documents and other necessary data from the attending physicians are subject to the statutory retention period and are stored for at least 10 years in accordance with Section 630f Para. 3 of the German Civil Code (BGB).
Recipients / categories of recipients:
The recipients of the data are our service providers BeeHealthy Deutschland GmbH, AWS and AWS SES, who are bound by instructions and are obliged to do so under Art. 28 GDPR. When billing for medical services, the necessary data is transmitted to the responsible health insurance companies.
2.3. Appointment booking and anamnesis
Type of data:
When booking an appointment, the following personal data will be requested or must already be stored in the profile:
- First name Name
- birth date
- Gender
- E-mail address
- Telephone number
- Date and time of the booked appointment
- Insurance data
The following information can be provided voluntarily to help the doctor prepare for the appointment:
- Reason for booking the appointment
- Contents of the free text field
- Information about symptoms
Please ensure that only information relevant to the treatment is entered here.
Once you have entered your details, you will receive a booking confirmation by email without any information about medical reasons or billing-related information. The booked appointments can be viewed in the app menu.
Optionally, the appointment can also be added to your mobile phone calendar. As part of a calendar entry, only the appointment information “Meliva digital practice consultation hours” and the date and time of the appointment are displayed.
Legal basis and purpose of data processing:
Your personal data (as a minimum requirement), provided they are necessary for medical consultation and billing, will be processed on the basis of Art. 6 Para. 1 Clause 1 lit. b) in conjunction with Art. 9 Para. 2 lit. h) in conjunction with Para. 3 GDPR in conjunction with Section 630a BGB and will become part of your patient file.
We process any additional personal data provided voluntarily on the basis of your consent in accordance with Art. 6 Para. 1 Clause 1 lit. a) or Art. 9 Para. 2 lit. a) of GDPR. You have the option of revoking your consent for the future at any time by deleting the appointment. If the doctor sees a need to document the medical information recorded here, it will become part of the patient file.
Duration of storage:
The patient file kept by the attending physicians is subject to statutory retention requirements and is stored for at least 10 years in accordance with Section 630f Para. 3 of the German Civil Code (BGB). Information provided voluntarily as part of appointment preparation and anamnesis can become part of the patient file if there is a medical need.
You can revoke your consent at any time with effect for the future in accordance with Art. 7 Para. 3 Clause 1 GDPR by deleting the appointment. This does not affect the legality of the data processing carried out up to the time of revocation. Personal data that is provided as part of the appointment preparation and anamnesis and is not of medical relevance will be deleted within 48 hours of deleting the app/account.
Recipients / categories of recipients:
The recipients of the data are our service providers BeeHealthy Deutschland GmbH, AWS and AWS SES, who are bound by instructions and are obliged to do so in accordance with Art. 28 GDPR.
2.4. Questionnaire and conversation chat (recording previous illnesses and symptoms)
Type of data:
In preparation for the video consultation, you also have the opportunity to give your doctor information about your state of health. Using a questionnaire in the chat, which can also be skipped, you can answer questions with predefined answer options (current complaints, previous illnesses, medication, etc.) on a voluntary basis. However, the video consultation can also be started without stating any complaints. This data is used for medical care and treatment and serves as advance information for your doctor.
In the chat you also have the opportunity
- further information on health status and
- Photos
to make available.
The following personal data will be processed with your explicit consent:
- Health data
- Symptoms
- Current medication
- Date and time of the request
- Chat content including uploaded files
Legal basis and purpose of data processing:
We process voluntarily provided personal data on the basis of your consent in accordance with Art. 6 Para. 1 Clause 1 lit. a) in conjunction with Art. 9 Para. 2 lit. a) GDPR. If the doctor sees a need to document the medical information collected here, this will become part of the patient file and will therefore be processed on the basis of Art. 6 Para. 1 Clause 1 lit. b) in conjunction with Art. 9 Para. 2 lit. h) in conjunction with Para. 3 GDPR in conjunction with Section 630a of the German Civil Code (BGB).
Any additional personal data will only be provided voluntarily. The legal basis for this is Art. 6 Para. 1 Clause 1 lit. a) in conjunction with Art. 9 Para. 2 lit. a) GDPR.
Duration of storage:
The information provided here will be used by the doctor for consultation and documented by him in the patient file if there is medical relevance.
This personal data is subject to retention periods of at least 10 years in accordance with legal requirements for patient care.
You can revoke your consent at any time with effect for the future in accordance with Art. 7 Para. 3 Clause 1 GDPR . This does not affect the legality of the data processing carried out up to the time of revocation. Personal data that is provided as part of appointment preparation and anamnesis and is not of medical relevance will be deleted within 48 hours of the app/account being deleted.
Recipients / categories of recipients:
The recipients of the data are our service providers BeeHealthy Deutschland GmbH and AWS, who are bound by instructions and are obliged to do so in accordance with Art. 28 GDPR.
2.5. Video consultation
Type of data:
The video chat is carried out in a secure connection between the two participants. To do this, the IP addresses of the end devices must be merged. The digital exchange then takes place in the form of the consultation. The following personal data is used for this:
- IP address
- hashed meeting room ID (will be created)
- video stream files, provided that the camera is switched on
- audio transmission, provided that audio is switched on
- Start and end time of the video meeting
Legal basis and purpose of data processing:
Video consultation is voluntary. Your personal data will be processed exclusively on the basis of your consent in accordance with Art. 6 (1) 1 lit. a) in conjunction with Art. 9 (2) lit. a) GDPR. The purpose of the data processing is to enable your doctor to provide a supplementary, holistic assessment and treatment.
The processing of the start and end time of the consultation serves the documentation as well as the billing of the medical service provided.
After the consultation, the hashed meeting room ID can be used to determine which doctor communicated with which patient.
Duration of storage:
Information processed for the technical and visual connection between the doctor and the patient via video meeting is deleted as soon as the session has ended.
The hashed meeting room ID is stored for documentation purposes until there is no longer any purpose for further storage.
You have the option to revoke your consent at any time without affecting the legality of the processing carried out on the basis of the consent until revocation. You can also cancel a booked appointment at any time. During the video meeting, you can deactivate your camera at any time.
2.6. Satisfaction survey
Type of data:
After the chat or video consultation has ended, a satisfaction survey will appear in which you can rate your satisfaction with the medical consultation on a voluntary basis. As part of this survey, you can anonymously give a rating based on stars (0-5). In addition, a free text field appears in which the reason for the rating can be provided.
The following personal data is required at least:
– Star rating (voluntary)
– Content free text (voluntary)
Doctors receive aggregated ratings, e.g. “In the last month, 20 patients rated your treatment with 3 stars.”
Legal basis and purpose of data processing:
The purpose of this data processing is to enable positive and negative criticism to be made in order to reveal and eliminate weaknesses and to make future cooperation more effective and better. The legal basis for data processing is Art 6 Para. 1 S. lit. f) in conjunction with Art. 9 Para. 2 lit. a) GDPR. You have the right to object to data processing in accordance with Art. 21 GDPR. You can also revoke your consent at any time with effect for the future in accordance with Art. 7 Para. 3 Clause 1 GDPR . This does not affect the legality of the data processing carried out up to the time of revocation.
Duration of storage:
The reviews you submit will be retained until there is no longer any purpose for further storage and will then be deleted.
Recipients / categories of recipients:
The recipients of the data are our service providers BeeHealthy Deutschland GmbH and AWS, who are bound by instructions and are obliged to do so in accordance with Art. 28 GDPR.
2.7. Recipe management and transmission
Type of data:
As part of the prescription management, prescriptions may be made available in PDF format with instructions on dosage. However, the prescriptions cannot be "used" by you as a patient; they can only be viewed to monitor the medication.
During the chat, you can decide how prescriptions to be issued are to be handled. The doctor treating you will explain the relevant information. You can decide whether the prescription is to be sent to you by post or, at your request, to a partner pharmacy. The latter is initially sent via an encrypted email, and the original is then sent to you by post.
At least the following personal data is processed here:
- First name
- birth date
- address
- Telephone number
- Health insurance
- Insurance number
- Medication and dosage
- Date of prescription issue
- Issuing doctor
Legal basis and purpose of data processing:
The processing of your data for the purpose of prescription and dosage management is carried out on the basis of Art. 6 Para. 1 Clause 1 lit. b) in conjunction with Art. 9 Para. 2 lit. h) in conjunction with Para. 3 GDPR in conjunction with Section 630a of the German Civil Code (BGB).
The processing of your data by means of transmission to the partnered pharmacy is carried out exclusively on the basis of your consent and thus on the basis of Art. 6 Para. 1 Clause 1 lit. a) in conjunction with Art. 9 Para. 2 lit. a) GDPR. The purpose of the data processing is the administration and transmission of prescriptions.
Duration of storage:
The data collected when providing the recipe is stored in the chat for the duration of the app's use. It is deleted within 48 hours of the app/account being deleted.
You can revoke your consent at any time with future effect in accordance with Art. 7 Para. 3 Clause 1 GDPR . This does not affect the legality of the data processing carried out up to the time of revocation.
Recipients / categories of recipients:
If you have agreed to pharmacy delivery, the respective partner pharmacy will receive your prescription data.
In exceptional cases, data will be processed on our behalf by contract processors. These are carefully selected, audited by us and contractually bound in accordance with Art. 28 GDPR.
2.8. Care plans / treatment plans
Type of data:
The menu item "Care Plans" takes you to treatment and coaching plans that will accompany you during treatment. They do not contain any of your personal data, but they do contain questionnaires etc. that you as a patient can fill out on a voluntary basis with your personal data (e.g. body size, diary entries, eating habits, etc.).
There are self-training care plans that allow anonymous use and where doctors cannot see your data in the care plan, or the option to start medically supervised care plans. With the latter, our doctors can see your data in the care plan. Certain care plans only become visible after they have been activated by the respective doctors.
If a specific medically supervised care plan is selected, you will be able, after consultation with the doctor, to upload attachments yourself, which can be viewed by the respective doctor.
Legal basis and purpose of data processing:
We process your personal data on the basis of your consent in accordance with Art.6 Para. 1 Clause 1 lit. a) in conjunction with Art. 9 Para 2. lit. a) GDPR for the purpose of providing you with comprehensive medical treatment that will help you lead a healthier lifestyle in the long term.
Duration of storage:
Your personal data will be stored for the duration of use of the app. It will be deleted as soon as you have confirmed the deletion of your account or you have deleted the app within 48 hours.
The information provided here will be used by the doctor for consultation and documented by him in the patient file if there is medical relevance.
This personal data is subject to retention periods of at least 10 years in accordance with legal requirements for patient care.
You can revoke your consent at any time with future effect in accordance with Art. 7 Para. 3 Clause 1 GDPR . This does not affect the legality of the data processing carried out up to the time of revocation.
Recipients / categories of recipients:
The recipients of the data are our service providers BeeHealthy Deutschland GmbH and AWS, who are bound by instructions and are obliged to do so in accordance with Art. 28 GDPR.
2.9. Customer service and app support (chat / email)
Type of data:
For appointment and service requests to a Meliva unit, you can contact an employee of the unit at any time via the menu item “Digital Practice” and “Appointment and Service Request Meliva unit xy” via chat.
In doing so, we process at least the following personal data in customer service:
• First name, last name
• Time
• (voluntarily) shared chat content
• Uploaded files
If you have any questions about the app or its functions, you can contact the app support. You will find a contact button under the menu item “Profile”, where you can select “Technical support”. When you select this button, an e-mail draft of the e-mail program will open. You can enter your request and send the e-mail.
The following personal data is required at least:
- E-mail address
- Date and time of the mail
Legal basis and purpose of data processing:
The legal basis for data processing is Art. 6 Para. 1 Lit. f) GDPR. Our legitimate interest is to offer you the opportunity to contact us directly regarding any questions you may have about the functionality or use of the app and to be able to provide you with a targeted answer as quickly as possible. Should you decide to voluntarily disclose any health information in your message, or any other sensitive information, the processing shall be based on your explicit consent in accordance with Art. 9 Para 2. Lit. a) GDPR.
Duration of storage:
After treatment has ended, sent emails will be deleted.
Recipients / categories of recipients:
Chat messages are processed by our Meliva customer service. Chat messages are processed on the servers by our service providers BeeHealthy Deutschland GmbH and AWS in accordance with instructions.
Email messages are sent to a shared mailbox for Meliva customer service, which consists of Meliva employees.
2.10. Error messages and application security
Type of data
If errors occur in the app or it does not function properly, data will be collected as part of error messages and used to troubleshoot the problem. Only your app ID will be used and recorded in the report.
Additionally, to keep our processing systems and the application secure, we collect and process certain personal information concerning the actions that you have performed on our application, such as::
- IDs created by the platform
- IP address
- Device data and/or browser information
- Technical logs and information concerning actions performed in the application.
Legal basis and purpose of data processing:
The collection of error messages and device data to improve the app and ensure the security of the systems is in our legitimate interest. The data processing is therefore carried out on the basis of Art. 6 Para. 1 Lit f of GDPR. You have the right to object to data processing in accordance with Art. 21 GDPR.
Storage period
The error messages collected here will be deleted after they have been evaluated and there is no longer any purpose for further storage.
Recipients / categories of recipients
The error reports and device data are processed by our service providers BeeHealthy Deutschland GmbH, New Relic, LogZ.io and FriendlyCaptcha, who are bound by instructions. The app ID is also processed outside the EU or EEA. To ensure a uniform level of data protection, the standard contractual clauses have been concluded and additional security measures have been taken to ensure the security of the data.
2.11. Analysis and visualization service
For internal visualization of business transactions and for custom analyses of processes in the app, we use the “Microsoft Power BI” service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
These are merely aggregated reports based on evaluations at an anonymous level (i.e. without personal reference) and therefore do not constitute the processing of personal data.
2.12. Application security
Type of data
To keep our processing systems and the application secure, we collect and process certain personal information concerning the actions that you have performed on our application.
Specifically, the following information is collected:
- IDs created by the platform
- IP address
- Device data and/or browser information
- Technical logs and information concerning actions performed in the application.
Legal basis and purpose of data processing:
The legal basis for data processing is Art. 6 Para. 1 lit. f) of GDPR. We have a legitimate interest in ensuring that our application and our systems are secure and
3. Account deletion for the Meliva app
Users can delete their account by following the instructions below.
Instructions for account deletion in our mobile application:
- Log in to the app with the account you want to delete
- Navigate to the profile page by clicking on your profile on the bottom tab of the application
- Scroll down on the profile page until you find the “Delete Account” button
- You will be redirected to a special page where you can request deletion of your account.
- Confirm that you want to delete your user account by entering your first and last name in the input field
- Press “Delete user account”.
- You will be logged out and your account and data will be deleted within the next 48 hours
After the account is deleted, the data processed in the app will not be retained. Information about access and use of healthcare services will be stored in the patient information system of the Meliva facility.
4. Your data protection rights
As a data subject, you have the right to information about the personal data concerning you (Article 15 GDPR) and to rectification of inaccurate data (Article 16 GDPR) or erasure if one of the reasons stated in Article 17 GDPR applies. You also have the right to restriction of processing if one of the conditions stated in Article 18 GDPR applies and, in the cases of Article 20 GDPR, the right to data portability.
If the processing of data is based on your consent, you are entitled to revoke your consent to the use of your personal data at any time in accordance with Art. 7 Para. 3 GDPR. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. Please also note that we may have to retain certain data for a certain period of time in order to fulfill legal requirements, despite your revocation.
In cases where we process your personal data on the legal basis of Art. 6 Para. 1 S. 1 lit. e) GDPR or Art. 6 Para. 1 S. 1 lit. f) GDPR, you have the right to object at any time in accordance with Art. 21 GDPR . We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
You can exercise your data protection rights via the following email address: datenschutz@meliva.de
In addition, as a data subject, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR if you believe that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be asserted in particular with a supervisory authority in the member state of your habitual residence.
5. Our data protection officer
You also have the right to contact our data protection officer at any time, who is obliged to maintain confidentiality regarding your request. The contact details of our data protection officer are:
|
Contact details |
|
|
Dr. Jovan Stevovic Chino Srl Via Segantini 28 |
e-mail: meliva-dpo@chino.io |
We will be happy to provide you with further information upon request.
Last updated: 2025-10-28
Dokument erstellt mit ChecksMATE, der Datenschutz-Management-Plattform von Chino.io