• Privacy Policy (App)

The Privacy Policy of the Rescue Made Simple App

Privacy Policy (App)

Privacy Policy (App)

Introduction

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter referred to as “data”) we process, for what purposes, and to what extent within the scope of providing our Rescue Made Simple App.

The terms used are not gender-specific.

Status: November 17, 2022

Responsible Party

Gleea Educational Software GmbH
Hubert-Dammert-Str. 1
86836 Klosterlechfeld

Authorized representatives: Stefanie Graumann, Christian Brugger, Christoph Graumann, Andreas Voit.

Email address: [email protected].

Legal Notice: https://gleea.de/impressum.

Simple Summary

At any time, you have control over what personal data you want to share with us. In the Rescue Made Simple App, you can edit your profile and change your data anytime. The only thing we absolutely need is a valid email address. Of course, you are welcome to use services like Apple Private Relay to obscure your address.

The following data can be voluntarily provided in your profile:

  • First name
  • Last name
  • Medical qualifications
  • Training status
  • Federal state
  • Organization

We use this data for statistical purposes to create better case packages for your qualification level and region in the future.

While using the app, additional data is collected that we link to your profile. These are essentially your completed case examples and your results. This data is used so you can view and improve your performance history.

We also collect anonymized usage statistics to further improve our app. This information is not linked to your profile, and we cannot trace the statistics back to any individual.

Registration with an Institution

You can enter a code in your profile to register with an institution (such as your rescue service school or employer). You will then have exclusive access to case examples within this institution in individual courses.

By entering a code, you agree that your profile data (see above) can be viewed by the institution’s administrators and lecturers. If you complete case examples within a course, your lecturer will have access to your results and how you approached the case examples. Progress from other institutions, purchased case packages, or demo cases is not affected.

Special Case: S&K Publishing

If you enter a code from an S&K Publishing product (e.g., the RESCUE magazine or LPN textbook), your personal data will be anonymized. S&K Publishing employees never have access to your personal data.

Detailed Privacy Policy

The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected individuals.

Types of Processed Data

  • Inventory data (e.g., names, addresses).
  • Content data (e.g., entries in online forms).
  • Contact data (e.g., email, telephone numbers).
  • Meta/communication data (e.g., device information, IP addresses).
  • Usage data (e.g., visited websites, interest in content, access times).
  • Contract data (e.g., contract subject, duration, customer category).
  • Payment data (e.g., bank details, invoices, payment history).

Categories of Affected Persons

  • Business and contractual partners.
  • Interested parties.
  • Communication partners.
  • Customers.
  • Users (e.g., website visitors, users of online services).
  • Students/participants.

Purposes of Processing

  • Registration process.
  • Provision of our online offerings and user-friendliness.
  • Office and organizational procedures.
  • Direct marketing (e.g., via email or postal mail).
  • Contact requests and communication.
  • Security measures.
  • Performance of contractual services and customer service.
  • Administration and response to requests.

Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the regulations of the GDPR, national data protection provisions may apply in your or our country of residence. Should specific legal bases be applicable in individual cases, we will inform you of this in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures at the request of the data subject.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection in Germany apply. This includes, in particular, the law to protect against the misuse of personal data in data processing (Bundesdatenschutzgesetz - BDSG). The BDSG contains specific provisions, particularly regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. It also regulates data processing for employment purposes (§ 26 BDSG), especially concerning the establishment, execution, or termination of employment relationships and the consent of employees. State data protection laws of individual federal states may also apply.

Security Measures

We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

Among the measures are, in particular, the securing of confidentiality, integrity, and availability of data through control of physical and electronic access to the data, as well as access to them, their input, transmission, secured availability, and their separation. Furthermore, we have procedures in place that ensure data subject rights, deletion of data, and responses to data threats. We also consider the protection of personal data in the development or selection of hardware, software, and procedures, according to the principle of data protection by design and by default.

SSL Encryption (https): To protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser. This also applies to any communication between our app and the backend server.

Transfer of Personal Data

In the context of our data processing, it may happen that data is transferred to other entities, companies, legally independent organizational units, or individuals or that they are disclosed to them. Recipients of these data can include service providers entrusted with IT tasks or providers of services and content embedded in a website. In such cases, we comply with the legal requirements and conclude appropriate contracts or agreements, which serve to protect your data, with the recipients of your data.

Data transfer within the organization: We may transfer personal data to other entities within our organization or grant them access to this data. If this disclosure is for administrative purposes, the transfer of data is based on our legitimate entrepreneurial and business interests or occurs if it is necessary for the performance of our contractual obligations or if there is consent from the data subjects or a legal permit.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing occurs as part of the use of services from third parties or the disclosure or transfer of data to other individuals, entities, or companies, this only takes place in accordance with legal requirements.

Subject to express consent or contractual or legally required transfer, we process or allow the processing of data only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection rules (Art. 44 to 49 GDPR, EU Commission Information Page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Deletion of Data

The data we process is deleted or its processing is restricted according to the legal requirements, once consents that allow the processing are revoked or other permissions cease to apply (e.g., if the purpose of the processing of the data no longer applies or it is not necessary for the purpose anymore).

If the data is not deleted because it is required for other legally permissible purposes, its processing will be limited to these purposes. This means the data is locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or to protect the rights of another natural or legal person.

Our data protection notices may also contain further information on the retention and deletion of data, which applies primarily to the respective processing activities.

Business Services

We process data from our contractual and business partners, such as customers and interested parties (collectively referred to as “contractual partners”) within the scope of contractual and comparable legal relationships as well as the associated measures and within the scope of communication with the contractual partners (or pre-contractual) to answer inquiries.

We process this data to fulfill our contractual obligations, safeguard our rights, and for purposes associated with these indications and entrepreneurial organization. We only transmit the data of contractual partners to third parties within the framework of applicable law to the extent necessary for the aforementioned purposes or to fulfill legal obligations, or if it is done with the consent of data subjects (e.g., to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax, and legal advisors, payment service providers, or tax authorities). Contract partners will be informed within the scope of this privacy policy about further forms of processing, e.g., for marketing purposes.

We inform the contract partners which data is necessary for the aforementioned purposes before or during data collection, e.g., in online forms, via specific markers (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiration of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as they must be retained for statutory archiving reasons (e.g., for tax purposes, generally 10 years). Data that has been disclosed to us in the context of an order by the contract partner will be deleted in accordance with the order specifications, generally after the end of the order.

As far as we use third-party services or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between users and providers.

Customer Account: Contract partners may create an account within our online offer (e.g., customer or user account, briefly referred to as “customer account”). If registration for a customer account is required, contract partners will be informed accordingly, as well as the required information for registration. Customer accounts are not public and cannot be indexed by search engines. As part of registration and subsequent registrations and uses of the customer account, we store the IP addresses of the customers along with the access times so we can prove registration and prevent misuse of the customer account.

If customers terminate their customer account, the data relating to the customer account will be deleted, subject to statutory retention requirements. It is the responsibility of customers to secure their data upon termination of the customer account.

Educational and Training Services: We process the data of participants in our educational and training offers (uniformly referred to as “trainees”) to provide them with our training services. The data processed in this context, the type, scope, purpose, and necessity of their processing are determined by the contractual and training relationships. Processing forms also include performance evaluation and the evaluation of our services and those of the lecturers.

In the course of our activities, we can also process special categories of data, particularly information relating to the health of trainees and data from which the ethnic origin, political opinions, religious or philosophical beliefs are derived. Here we obtain an express consent from the trainees when necessary and otherwise only process the special categories of data when it is required for the provision of the training services, for purposes of health care, social protection, or protection of the vital interests of the trainees.

Where necessary for our contract fulfillment, to protect vital interests, or by law, or where trainees give consent, we disclose or transfer the data of the trainees under observance of professional requirements to third parties or agents, such as authorities or in the field of IT, office, or similar services.

  • Processed data types: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact data (e.g., email, phone numbers), contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, content interest, access times), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Interested parties, business and contract partners, customers, students/participants.
  • Purposes of processing: Provision of contractual services and customer service, contact requests and communication, office and organizational procedures, administration and response to inquiries, security measures.
  • Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Provision of Online Offer and Webhosting

To provide our online offer securely and efficiently, we use the services of one or more webhosting providers from whose servers (or managed by them) the online offer can be accessed. For these purposes, we use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The processed data in the context of providing these services includes all data relating to the users of our online offer necessary for communication and usage thereof. Regularly, this includes the IP address necessary to deliver the contents of online offers to browsers and any input made within our online offer or websites.

Collection of Access Data and Log Files: We or our webhosting provider collect data about each access to the server (so-called server log files). The server log files may include the address and name of the retrieved web pages and files, date and time of access, data volumes transmitted, message about successful retrieval, browser type and version, the operating system of the user, referrer URL (the previously visited page), IP addresses, and the requesting provider.

Server log files may be used for security purposes, e.g., to monitor for overloads on the servers (particularly in cases of abuse attacks, known as DDoS attacks), and to ensure server utilization and stability.

  • Processed data types: Content data (e.g., entries in online forms), usage data (e.g., visited websites, content interest, access times), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

Registration, Login, and User Account

Users can create a user account. During registration, the required mandatory details are communicated to the users and are processed for the purpose of providing the user account based on the fulfillment of contractual obligations. Processed data includes, in particular, login information (username, password, and an email address).

In the course of using our registration and login functions and the use of the user account, we store the IP address and the times of the user actions. The storage is based on our legitimate interests and those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users will be informed about actions that are relevant for their user account, such as technical changes, by email.

Registration with Pseudonyms: Users may use pseudonyms instead of real names as usernames.

User profiles are public: The profiles of the users are publicly visible and accessible.

Deletion of Data After Termination: If users have terminated their user account, their data concerning the user account will be deleted, provided that there is no legal retention obligation. It is the responsibility of users to back up their data before the end of the contract. We are entitled to irretrievably delete all user data stored during the contract period.

  • Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service, security measures, administration, and response to inquiries.
  • Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Single-Sign-On Authentication

“Single-Sign-On“ or “Single-Sign-On Authentication“ is understood as procedures that allow users to log in using a user account with a single sign-on provider (e.g., a social network) also when using our online offer. The prerequisite for single-sign-on authentication is that users are registered with the respective single-sign-on provider and enter the necessary access data into the corresponding online form or are already logged in at the single-sign-on provider and confirm the single-sign-on registration via button.

Authentication takes place directly with the respective single-sign-on provider. As part of such authentication, we receive a user ID with information indicating that the user under this user ID is logged in at the respective single-sign-on provider and does not require further authentication (e.g., user handle). Whether we receive additional data depends solely on the single-sign-on procedure used, on the selected data releases within the scope of the authentication, and additionally on what data users have released in the privacy or other settings of the user account with the single-sign-on provider. It can be different data depending on the single-sign-on provider and the user’s preferences; as a rule, these are the email address and username. The password entered during the single-sign-on process is neither visible to us nor is it stored by us.

Users are asked to note that their data stored with us can be automatically compared with their user account at the single-sign-on provider, but this is not always possible or actually happens. For example, if users change their email addresses, they must manually change them in their user account with us.

We can use single-sign-on registration, provided it has been agreed with users, in the context of or before contract performance, if users have been asked for their consent, and otherwise based on our legitimate interests and those of users in an efficient and secure authentication system.

If users decide not to use their user account with the single-sign-on provider for single-sign-on anymore, they must cancel the connection with their user account at the single-sign-on provider. If users want to delete their data, they must cancel their registration with us.

  • Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers).
  • Affected persons: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service, registration process.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfillment, and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. If the specific content of the newsletter is described in the context of a subscription, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is usually sufficient to provide your email address. However, we might ask you to provide a name for personal address in the newsletter or further details, if required for the purposes of the newsletter.

Double-Opt-In Procedure: The registration for our newsletter takes place generally in a so-called double-opt-in procedure. This means you will receive an email after registration asking you to confirm your registration. This confirmation is necessary so that no one can register with external email addresses. Registrations for the newsletter are logged to provide proof that the registration process complies with legal expectations. This includes storing the login and confirmation times as well as the IP address. Changes to your data stored by the shipping service provider are also logged.

Deletion and Restriction of Processing: We can store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, to prove previous consent. The processing of this data is limited to the purpose of a possible defense against claims. Individually, a request for deletion is possible at any time, provided the previous existence of consent is simultaneously confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a blocklist (so-called “blacklist”) for this purpose alone.

The logging of the registration process is based on our legitimate interests for purposes of proving its proper procedure. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure sending system.

Notes on Legal Bases: The dispatch of the newsletters takes place based on the receiver’s consent or, if a consent is not required, based on our legitimate interests in direct marketing, provided and to the extent it is permitted by law, e.g., with existing customer advertising. As far as we commission a service provider with the dispatch of emails, this is done on the basis of our legitimate interests. Registration procedures are recorded on the basis of our legitimate interests in proving that they have been conducted in accordance with the law.

Contents: Information about us, our services, apps, promotions, and offers.

  • Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Communication partners.
  • Purposes of processing: Direct marketing (e.g., via email or postal mail).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
  • Objection possibility (Opt-Out): You can cancel the receipt of our newsletter, i.e., revoke your consent or object to further receipt, at any time. A link to cancel the newsletter can be found either at the end of each newsletter or, you can use any of the contact options listed above, preferably email, for this purpose.

Changes and Updates to the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes to the data processing we perform make it necessary. We inform you as soon as changes require a contribution from you (e.g., consent) or if an individual notification becomes necessary.

Should we provide addresses and contact information for companies and organizations in this privacy policy, please note that the addresses may change, and we ask you to verify the information before contacting us.

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR, in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data which is based on Art. 6 para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling insofar as it is associated with such direct marketing.
  • Right to withdraw consent: You have the right to revoke consents at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.
  • Right to deletion and restriction of processing: You have the right to request that data concerning you be deleted immediately in accordance with legal requirements, or alternatively to request a restriction of data processing in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you, which you provided to us, in a structured, commonly used, and machine-readable format according to legal requirements or to request their transmission to another controller.
  • Complaint to supervisory authority: You have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of data concerning you violates the GDPR.

Supervisory authority responsible for us:

Bavarian State Office for Data Protection Supervision
Postfach 1349
91504 Ansbach
Phone: 0981/180093-0
Email: [email protected]

Definitions

This section provides you with an overview of the terminology used in this privacy policy. Much of the terms are taken from the law and are essentially defined in Article 4 GDPR. The legal definitions are binding. The following explanations are primarily intended to assist understanding. The terms are arranged in alphabetical order.

  • Personal Data: “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if they can be identified, directly or indirectly, particularly by means of association with an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  • Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, such as collection, evaluation, storage, transmission, or deletion.

Created with the free Privacy Policy Generator from Dr. Thomas Schwenke.