Privacy Policy

1. Data ProtectionData protection is of paramount importance to us. The collection and processing of your data always happens with respect to the data protection regulations in force, especially the General Data Protection Regulation (GDPR). We collect and process your personal data to offer to you our website and our app services. Pursuant to Art. 13 GDPR, in this declaration we describe to you for what purpose and to what extent we use your data and what your options and rights in regard to the use of your personal data are. 
Responsible Body
The responsible body for all purposes regarding data protection compliance on our website and in our application is Hope Applications GmbH, represented by Alina Latus, Eggerstedtstraße. 51, 22765 Hamburg.
Data protection supervisor
We appointed Urs Preukschat as data protection supervisor. We are available for all enquiries regarding data protection. For these purposes you have the following contact options:Tel.: +49 (0) 176 61 50 77 69E-Mail: datenschutz@hope-app.net
2. Data processing
Download and use of the Hope App „alone“
No personal data is generally collected or processed during download and use of the Hope App. No authorizations are necessary in order to use the app. The app is saved on your terminal device and does not establish a connection to us.In case personal data is entered into the app by the user that data is not accessible to us.
Download and use of the Hope App in conjunction with a fertility clinicIt is possible to use the app in conjunction with a fertility clinic. This happens upon consultation with the respective partner fertility clinic. The clinic issues a QR code which is eventually scanned on the terminal device by the patient. In the following section we will explain how such a process takes place from a data protection standpoint:The connection between the clinic and the terminal device is secured by an asymmetrical encryption. A random, anonymous channel ID is requested from our API in the clinic by the clinic software. The clinic locally generates a pair of keys. The patient receives the channel ID together with the public key of the clinic and a randomly generated one-time-password (so-called „challenge“) in the shape of a QR code. The channel ID cannot be traced back to a particular person. An allocation is only possible in the clinic.In case the patient scans the QR code with the Hope App, a pair of keys is locally generated on the terminal device. The public key is then transferred to the clinic through our API („application programming interface“). The QR code challenge serves as an authentication in order to verify that the request is made by an authorized person. When a connection is established, the secure channel is activated and cannot be connected to any other terminal device. Under no circumstances Hope can read data that is sent over the API - no matter the direction - because the private keys never leave the terminal device or the clinic. The Channel ID that is used in order to allocate messages can only be traced back to personal data in the clinic. For this purpose separate agreements between patient and clinic exist. 
C) Use of third-party servicesIn order to guarantee the proper functioning of the Hope App and our website, we use certain third-party services. While choosing our third-party services we pay tremendous importance to data security. In the following sector we would like to fully disclose the third-party services we use and which data these services use and where to find more information on them.Insofar as these services process data this serves the purpose of a correct and error-less functioning of our website and our app as well as guaranteeing certain functions in our Hope App. aa) Fathom AnalyticsOur website, but not our Hope App, utilizes certain functions of the web analytics service Fathom Analytics. The responsible provider for Fathom Analytics is Conva Ventures Inc, 47 Maple Street, Suite 103, Burlington, VT 05401, United States of America.The provider analyzes user visits on websites in an anonymized way for the purpose of statistical analysis. Due to the anonymization no assignable personal data is stored. Our website solely uses an analysis function offered by Fathom Analytics. This function enables us to create reports which show us specific data concerning the used terminal devices and location information of the respective website visitors. An allocation of this data to a certain person is not possible. No other data beyond this is processed. Moreover, Fathom Analytics does not use „cookies“ and no information generated from cookies is led to any external servers. The provider states that its guidelines always comply with existing data protection regulations. You can find more information on the provider’s website under https://usefathom.com/databb) SentryWe use the provider Sentry for the purpose of error tracking in the Hope App. Sentry is a service offered by Function Software Inc. , 132 Hawthorne Street, San Francisco, United States of America.We solely use this service for our internal error analysis and for help for our users in case of technical issues. Sentry helps us find errors in real time and show us why the respective error occurred. In this process, error reports are sent. Sentry’s services have to be actively switched on in our app for this to happen. Error reports are sent only in case an error occurs in the app. In case this option is explicitly switched on in the settings, a unique ID is sent with the error report. More than one error cannot be traced back to the same device. The user stays anonymous. We have concluded a „data processing amendment“ with Sentry. This is a form that automatically changes Sentry’s terms of use in order for them to comply with European data protection standards. Data that Sentry receives is thus handled according to the strict European conditions. You can find more information on Sentry’s data protection standards, as well as an openly accessible example form which matches the one we have concluded with Sentry under https://sentry.io/security/.cc) OneSignalWe use services by the provider OneSignal for the provision of so-called „push notifications“, short messages sent to our users via their terminal device. OneSignal is provided by OneSignal, 2850 Delaware Street, San Mateo, United States of America.OneSignal uses a so-called unique identifier. This is a mechanism used in order for notifications to be sent to the right device. For this purpose OneSignal tracks some data, such as the operating system used on the respective terminal device, the time zone, the country in which the use takes place, the number of sessions and other. Hope does not use the option of sending data tags with personal data to OneSignal.OneSignal states to be GDPR-compliant. For more information on OneSignal’s data protection standards, see: https://onesignal.com/privacy .dd) GeniusScan SDKWe use services by Genius Scan SDK, offered by The Grizzly Labs, SAS, 5 Villa Lantiez, Bat B1, 75017 Paris.This service is used for the purpose of scanning documents. This service enables our Hope App to scan the QR codes issued by the fertility clinics. Hope generally has full control over how this happens. Accordingly, the above-mentioned provisions on Hope’s data protection standards take effect.Genius Scan might analyze certain usage data. This, however, happens only in a way that does not process personal data. All data is analyzed anonymously. GeniusScan only stores data in the EU or other countries that follow European data protection standards. All services of the provider are , according to the provider’s indications, fully GDPR-compliant. For more information on the provider’s data protection standards see https://help.thegrizzlylabs.com/article/170-privacy-security-and-complianceee) Scandit SDKWe use the service Scandit SDK, offered by Scandit Group, including several subsidies of Scandit Group.This service is used for the purpose of scanning mobile and web applications. Hope uses Scandit SDK in order to scan barcodes.Scandit SDK collects data regarding the use of the respective services. The collection of data serves, if necessary, the purpose of error fixing and the guarantee of functions, as well as performance analysis for statistical purposes. The collection of analysis and performance control data serves our legitimate interest to guarantee security and functionality of our app. For more information on Scandit Group’s data protection standards see https://www.scandit.com/privacy/ff) RapidmailWe use services by rapidmail, offered by rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau.We use rapidmail solely for sending newsletters to fertility clinics. If you are a clinic that wants to receive newsletters and actively consent to the sending of newsletters, this concerns you. All other customers and users are not concerned. In case you subscribe to our newsletter, the data necessary for subscription will be submitted to the responsible person. Subscription takes place in a so-called „Double-Opt-In-Process“. This means that after subscribing to our newsletter services you will receive another mail asking you for confirmation. The confirmation serves the purpose of protection of your mail account. In order to prevent abuse, the user IP address as well as the date and time of the respective registration are saved during this process. This data is exclusively used for the newsletter services.Mails sent with rapid mail might contain a so-called „Tracking Pixel“ for reasons of analysis which connects with rapidmail’s servers when the e-mail is opened. This process enables us to see if and which messages have been opened. Additionally, it is possible for us to see if and which links are clicked on in a newsletter message. All links in the e-mail are tracking links which means that clicks can be counted. Art. 6 (1) (a) GDPR serves as a legal basis for the processing of data after the subscription to our newsletter services.
We have concluded a data processing agreement with rapidmail in which rapidmail promises to protect user data and not to submit data to third parties.A termination of the newsletter subscription is possible at all times. If you don’t wish to receive an analysis via rapid mail, your termination is required. You can find a link for unsubscription in each newsletter mail sent by us. An unsubscription is also possible via our website or via e-mail to us. In case a newsletter subscription gets terminated all of your data is deleted in our systems as well as in rapidmail’s systems.For more information on rapidmail’s data protection standards see https://www.rapidmail.de/datenschutz gg) DataDogOut platforms use services by DataDog. DataDog is a monitoring system by Datadog, Inc., 620 8th Ave, 45th Floor, New York, NY 10018 United States of America.The system notifies our development team regarding possible errors in our application. For this reason log data is transferred to DataDog Inc. This may contain data like the browser, time of access, viewed sites, IP address etc. This serves our legitimate interest of guaranteeing the functionality and security of our services.For more information regarding the collection and processing of data by DataDog Inc. see www.datadoghq.com/legal/privacy/ hh) DatoCMSWe use services by DatoCMS by the provider DatoCMS, Dato Sri, Via Francesco Botticini 3, 50143 Firenze, Italy.DatoCMS provides data for certain functions of our Hope App and in relation to our Hope API. For this purpose, DatoCMS collects some data. This contains for example a User ID. This serves the legitimate interest of provision and functionality of our services.DatoCMS claims to follow GDPR-Standards. For more information about DatoCMS’ data protection standards see: https://www.datocms.com/legal/privacy-policyii) hCaptchaIn order to protect our contact forms against unrequested automated messages (spam) we use the services of hCaptcha by Intuition Machines, Inc. , 350 Alabama Street #10, San Francisco, CA 94110, United States of America.This service is used to verify whether message requests on our contact forms stem from real people or from bots. This is supposed to prevent automated spam messages. hCaptcha analyzes certain user behaviours on the website in order to determine if a user is a bot. If a part of the website with activated hCaptcha is reached information is analyzed, e.g. IP adress and duration of the website or app visit. The collected data is transmitted to hCaptcha. This data processing is based on Art. 6 (1) (f) GDPR: We have a legitimate interest to prevent abuse of our services as well as spam.hCaptcha’s provider acts as data processor that acts in the name of its customers as defined in the GDPR and as a „service provider“ within the means of the California Consumer Privacy Act (CCPA). For more information on hCaptcha and its data protection standards see: https://hcaptcha.com/privacy/ and https://hcaptcha.com/terms .jj) DigitalOceanWe use a cloud platform for virtual servers by Digital Ocean LLC, New York. The respective server is located in Frankfurt in a data center in which DigitalOcean rents spaces. DigitalOcean processed data when the platforms are accessed. This can, amongst others, contain date and time of access, the internet browser and the IP address. We have a data processing agreement with DigitalOcean. An example form which matches the agreement we concluded can be found publicly under https://www.digitalocean.com/security/gdpr/data-processing-agreement/ .For more information concerning DigitalOcean’s data security see https://www.digitalocean.com/security/ .jj) All-Inkl.ComWe use services by All-inkl.com. The service is provided by All-Inkl.com, Hauptstraße 68, D-02742 Friedersdorf, Germany. All-Inkl.com is our website hoster. All data is hosted in a high security level computer centre in Germany. The basis for the usage of this service is Art. 6 (1) (f) GDPR. We have a legitimate interest that our website is reliably displayed at all times. We have a data processing agreement with All-inkl.com which takes into account the provisions of the GDPR and which determines that All-Inkl.Com is only allowed to use the personal data of our users according to our instructions.For more information regarding the data protection regulations of All-Inkl.com see https://all-inkl.com/datenschutzinformationen/
4. Data protection rightsRight of access by the data subject, Art. 15 GDPR:
You have the right to request a confirmation on whether we process your personal data from us. If this is the case, you can request information on your personal data and on the following information: the purpose of processingThe categories of personal data being processedThe recipients and categories of recipients to whom personal data have been disclosed or will be disclosed in the future, especially recipients in third countries or at international organizationsIf possible, the planned duration of the personal data storage or, if not possible, the criteria for how the duration period is decidedThe existence of a right to rectification or erasure of the personal data concerning yourself or the right to restriction of data processing or the right to objection against data processingThe existence of a right of action in front of the supervisory authoritiesIf personal data is not directly raised from you, all available information about the origin of data - the existence of automated decision making including profiling according to Art. 22 (1) and (4) GDPR and meaningful information about the logic and desired effects of such a processing for the person concernedRight to Rectification Art. 16 GDPR
You are entitled to request rectification without undue delay of inaccurate personal data stored with us as well as to have incomplete data completed, including by means of a supplementary statementRight to erasure Art. 17 GDPR
You are entitled to request erasure of personal data stored with us insofar as one of the following grounds applies:the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processedYou withdraw consent on which the processing is based according to point (a) of Article 6(1) GDPR, or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processingyou object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPRThe personal data have been unlawfully processedThe personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subjectThe personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR. In this case we are obliged to remove the data, insofar as the processing is not required for purposes of freedom of speech and information, for reasons of public interest or for the exercise of legal claimsRight to restriction of processing Art. 18 GDPR
You have the right to obtain from us restriction of processing where one of the following applies:the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;We no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;You have objected to processing pursuant to Article 21(1) pending the verification whether our legitimate grounds override yours.Right to data portability, Art. 20 GDPRYou have the right to receive the personal data concerning yourself, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and the processing is carried out by automated meansRight to Object, Art. 21 GDPR
You have the right to object, on grounds relating your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data is no longer processed for such purposes.Right to Withdrawal of Consent, Art. 7 GDPR

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It is as easy to withdraw as to give consent.Right to Complaints in front of the supervisory authorities
You have the right to complain in front of a supervisory authority, regardless of a possible administrative or right to apply to the courts, especially in the Member State of your ordinary place of stay, your place of work or the location of our company office (Germany) in case you are of the opinion that the processing of your personal data infringes the GDPR. You can also make use of your rights per mail via datenschutz@hope-app.net5. Data SecurityThis app uses encryption according to the best available technology in order to ensure security and protect sensitive information. When the encryption is active, data submitted to us cannot be read by third parties. Moreover, we have established security mechanisms in technical and organizational form in order to prevent your data from being randomly or deliberately manipulated, partial and complete loss, destruction and the unauthorized access of third parties.6. Validity and amendment of this privacy policyThis privacy policy is currently valid. In order to guarantee that our privacy policy is always compliant with current regulations we reserve the right to change the policy at any time. This is also the case if our privacy policy has to be altered due to new or reworked features.

Back