Legal documents
Privacy policy
This Privacy Policy describes how Das Lab GmbH (also referred to as “DasLab”, “our”, “us” and “we”) collects, uses and discloses personal data, as well as any choices you have with respect to this personal data.
We take the protection of your personal data seriously and we aim to be as transparent as possible.
1. Applicability of this Privacy Policy
This Privacy Policy applies to the platform provided by DasLab that connects Healthcare Providers, Medical Laboratories - and other healthcare stakeholders - with patients, including the associated DasLab mobile and desktop applications (collectively, the “Platform”). This Privacy Policy does not apply to any third-party applications or software that integrate with our Services, or any other third-party products, services or businesses (“Third-Party Services”).
The EU General Data Protection Regulation (“GDPR”) differentiates between the “controller” and “processor” of personal data. DasLab is the controller of data entered by users. If you have any questions or complaints, or would like to exercise your rights with regard to your personal data, please contact us at
Das Lab GmbH
Ludwigstraße 8
80539 München
contact@daslab.de
https://daslab.health/legal/imprint
If you have any questions regarding the processing of your personal data, please do not hesitate to contact us. You are also welcome to direct your data protection concerns to our data protection officer by sending an email to the above-mentioned email address. Please note that not only our data protection officer will get your request. If you wish to contact solely our data protection officer and/ or if you wish to send confidential information, please refer in your email to the data protection officer and please ask for contacting you.
2. The types of personal data we collect
The personal data that we process is provided by the user.
DasLab may collect and receive personal data in a variety of ways:
User data. We collect, store and process personal data submitted by users. This can be your contact data, health data and data concerning medical diagnoses, prescriptions, and orders for at-home tests in accordance with the consent provided by your device or other third-party API. Most of the data that we process is considered health data according to the GDPR.
Usage data
- Log data. Like most websites and services delivered over the Internet, our servers automatically collect information when you access or use our Platform, recording this information in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, your browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences.
- Device data. DasLab collects information about devices accessing the Platform, including the type of device, operating system used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Data often depends on the type of device used and its settings.
- Third-party data. DasLab may receive data about users from third parties that we use to make our own information more useful. This data may be combined and may include aggregate-level data. For example, information about how well an online marketing or email campaign performed, or to create a business contacts directory.
- Cookie data. DasLab uses a variety of cookies and similar technologies in our Platform to help us collect Other Data. For more details about how we use these technologies, as well as your opt-out and opt-in opportunities and other options, please see our Cookie Banner.
Additional data provided to DasLab. We also receive other data when submitted to our Platform or in other ways, such as when you request support, contact us via different means or otherwise communicate with DasLab.
Anonymized data. DasLab may anonymize and aggregate the data submitted by users to create de-identified datasets according to the consent users have provided.
Generally, no one is under a statutory or contractual obligation to provide any personal data. However, certain personal data is collected automatically and, if some Personal Data, such as authentication details, is not provided, we may be unable to provide the services of our Platform.
3. How we use personal data
User data will be used by DasLab in accordance with the user’s consent or instructions, including any applicable terms in the Terms of Service and as required by applicable law.
DasLab uses personal data for the purposes of our legitimate interests in operating our Platform. DasLab also processes data for certain purposes based on specific legal bases (s. listed below). More specifically, DasLab uses personal data:
For providing the service to the users and facilitating their access to their orders,
prescriptions, and related information,
the above-mentioned data will be processed based on your consent. This includes also sending emails and other
communications.
If an order is being placed by the user, they must have a valid insurance policy with the associated health
insurance provider and be a minimum of 18 years of age.
After an order is successfully placed, DasLab will transfer the order data to the fulfilment service provider for
the purpose of product shipment and delivery.
DasLab will then transfer the order data to the laboratory for the purpose of providing diagnostic analysis.
To provide, update, maintain and protect our Platform. This includes the use of personal data to support delivery of the Services under the Terms of Use, including to prevent or address service errors, security or technical issues, and to analyse and monitor usage of the Platform and especially for usability problems. The data collected will be only the Cookie ID and then the information will be processed anonymously.
As required by applicable law, legal process or regulation.
To support and communicate with users by responding to users’ requests, comments and questions. If you contact us, we may use your personal data to respond.
Transactional: As part of our services, we provide users with certain communications and updates. We may send you service, transactional, technical and other administrative communications, such as communications about your account, our Service offerings, changes to the Services, and important Services-related notices, such as security and fraud notices. We consider these communications as part of our Services to you, and it is based on our legitimate interest. Our legitimate interest is to provide you with information about account-related aspects.
Soft opt-in / Consent: In addition, we sometimes send emails about new product features, recommendations and promotional communications, or other news about DasLab, if you have given consent to these kinds of updates. You can opt-out of these messages at any time with effect to the future by using the unsubscribe link included in all of these communications.
To investigate and help prevent security issues and abuse. This data processing is based on our legitimate interest. Our legitimate interest is to secure your data and to prevent abuse of data as part of data security
If information is aggregated or de-identified so that it can no longer reasonably be associated with an identified or identifiable natural person, DasLab may use it for any business purpose. To the extent information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”
4. Necessary Cookies
We use services and applications offered either by ourselves or by third parties. These include services that use technologies to store or access information in the end device:
Cookies: information stored on the end device, consisting in particular of a name, a value, the domain to be stored and an expiration date. So-called session cookies are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date.
Web Storage (Local Storage / Session Storage): Information stored on the end device, consisting of a name and a value. Information in the session storage is deleted after the session, while information in the local storage has no expiration date and remains stored unless a mechanism for deletion has been set up (e.g., storage of a local storage with time entry).
You can also choose to delete Cookies or data stored in Local or Session Storage stored on your device manually at any time.
| Name | Provider | Purpose | Expiry | Location | Type |
|---|---|---|---|---|---|
| CookieConsent | Cookiebot | Stores the user's cookie consent state | 1 year | USA | HTTP |
| several | google.com | Used by the Google product Firebase to ensure only logged in users have secure access to the DasLab products. | 1 year | USA | HTTP |
| i18n_redirected | daslab.health | Determines the preferred language of the visitor. Allows the website to set the preferred language upon the visitor's re-entry. | 1 year | Germany | HTTP |
| SL_C_23361dd035530_SID | Smartlook | Contains the project key, session ID, and visitor ID. Session and visitor IDs are unique identifiers assigned to new sessions and visitors. | 13 months | USA | HTTP |
| SL_L_23361dd035530_SID | Smartlook | Contains the project key, session ID, and visitor ID. Session and visitor IDs are unique identifiers assigned to new sessions and visitors. Data is stored locally. | 13 months | USA | HTTP |
We use services and applications necessary for the operation of the website on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in order to provide the basic functions of our website. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. In these cases, access to and storage of information in the end device is absolutely necessary and is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 para. 2 of the Telecommunications-Telemedia Data Protection Act.
5. Data Retention
DasLab will retain user data in accordance with a user’s instructions, including any applicable terms in the Terms of Use, and as required by applicable law.
Your personal data will be deleted or blocked as soon as the purpose is achieved and unless no retention periods or further legal basis for the storage exist. However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is required by legal regulations to which we are subject.
6. How we share and disclose personal data
This section describes how DasLab may share and disclose personal data. Users determine their own policies and practices for the sharing and disclosure of personal data. DasLab does not control how they or any other third party chooses to share or disclose personal data.
DasLab may share and disclose personal data in accordance with a user’s consent, including any applicable terms in the Terms of Use and the Customer’s use of the Services and in compliance with applicable law. Where necessary, we may only share personal data with third parties where we have obtained consent to do so, or data protection related contracts have been concluded or another legal basis exists such as a legitimate interest or a legal obligation. Furthermore, we may engage service providers acting as processors.
We may share personal data as follows:
Subcontractors. We may engage third-party companies or individuals as sub-processors to process personal data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support our Users.
Third-Party Services. Users may enable Third-Party Services. When enabled, DasLab may access and exchange personal data of users with the provider of a Third-Party Service on the User’s behalf. Third-Party Services are not owned or controlled by DasLab and third parties that have been granted access to personal data may have their own policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the relevant provider with any questions.
As described above, DasLab will transfer your above-mentioned data to a laboratory and a fulfilment service provider for the above-mentioned purposes.
During a change to DasLab’s business. If DasLab engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of DasLab’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all personal data may be shared or transferred, subject to standard confidentiality arrangements.
To comply with laws. If we receive a request for personal data, we may disclose personal data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of DasLab, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.
7. Data Security
DasLab takes security of personal data very seriously. We strive to protect all personal data from loss, misuse, and unauthorized access or disclosure, and therefore use appropriate technical and organizational security measures, our security measures include encryption, firewalls, access controls, and regular security audits. We continuously monitor and update our systems to stay ahead of emerging threats and ensure the highest level of security for your data. Our security measures are continuously improved in line with technological developments.
Given the nature of communications and information processing technology, DasLab cannot guarantee that, during transmission through the internet or while stored on our systems or otherwise in our care, personal data will be safe from intrusion by others.
8. Our responsibility for third party links
Our Platform may contain links to websites and services operated by third parties. If you follow a link to any of these websites or services, please note that these websites and services have their own privacy policies and terms and conditions. Further, we have no responsibility for, or control over, the information collected by any third-party website, and we cannot be responsible for the protection and privacy of any information which you may provide to these websites. You should read the relevant privacy notices and terms and conditions before using their websites or services.
9. Age Restriction
DasLab does not allow use of our Platform by anyone younger than 16 years old (“Minor”). If you learn that a Minor has unlawfully provided us with personal data, please contact us and we will take steps to delete this information.
By using our Platform, you represent and warrant that you are not a Minor as of the date of first access to our Platform.
If you are a Minor, you represent and warrant that you are accessing the Platform with the consent of a competent guardian over the age of 16 years old who takes responsibility for your use of the Platform.
10. Transfer of data
We also engage service providers based located outside the European Economic Area (in the US). We have taken steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, such as by entering into the Standard Contractual Clauses adopted by the European Commission (article 46(2)(c) GDPR) and it needs to be noted that an adequacy decision (EU-U.S. Data Privacy Framework) for the data transfer to the US exists which have been adopted on 10th of July 2023 by the European Commission. The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework.
We concluded with service providers which are based in third countries either a data processing agreement according to Art. 28 GDPR or a joint controllership according to Art. 26 GDPR as well as standard contractual clauses (as mentioned above), depending on the contractual constellation.
11. Your rights
Where we are the controller of your personal data, the GDPR data protection rights set out below apply to you, provided the requirements are met.
Most of these rights are not absolute and are subject to exemptions under applicable law. We will respond to any request to exercise your rights without undue delay and in any event within one month of receipt of the request, but we have the right to extend this period in certain circumstances. If we extend the response period, we will let you know within one month from your request. If your request is clearly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse to comply with it. To exercise these rights, please submit a request to us by sending an email to contact@daslab.de
